I was going to talk about recent hacks against "secure" web communication, aka. HTTPS (HeartBleed, POODLE, Beast, etc.) but that is a bloated topic. Instead, I'm just going to demo 3 invaluable utilities for techies specific to TLS/SSL, and show how Amazon makes managing HTTPS so simple that technologists have even more reason to be lazy.
3 HTTPS utilities
That's really it. These utilities have been around for years so there's nothing new here. A few examples will demonstrate their utility in verification, identification, and negotiation of HTTPS communication.Identify all secure communication options serviced by website:
$ nmap --script ssl-enum-ciphers www.httpvshttps.com
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
...
Verify secure communication options negotiable by client, specifically the highest TLS version with RSA authentication and keys, and high AES encryption:
$ openssl ciphers -v | grep 'TLSv1.2' | grep 'Kx=RSA' | grep 'Au=RSA' | grep 'Enc=AES(256)'
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
Negotiate a pre-defined secure communication to simulate a web client:
$ curl -v --location --tlsv1 --ciphers AES256-SHA https://www.httpvshttps.com
Amazon HTTPS & ELBs
AWS ELBs (Elastic Load Balancers) make managing HTTPS so simple. These load balancers can be setup with user-defined certificates to terminate secure communication to a website, and are deployed with either pre-defined or user-defined security policies. When a customer asked me to disable TLS v1.0, I simply change their ELB security policy by removing all the ciphers available for that kind of secure negotiation via a checkbox:
Of course, no good technologist trusts a GUI so I verified that change by using the 3 utilities above :)
No comments:
Post a Comment