Security: Unexpected Terminal Event

Today I killed a production website by pointing a webapp vulnerability scanner at it.  The unexpected stress brought the appserver to its knees while revealing some holes.  Luckily my more tactical colleagues came to the rescue and had the website back up in minutes -- after I had killed the scan -- but this opened two cans of worms. 

An obvious need for the design and implementation of 1) stress/load testing, and 2) vulnerability/penetration testing in regular operations.  These (2) needs are usually ad hoc. Both need to be part of processes in certification for release.

On another note, I was using the awesome open source tool called w3af.  :)

Security: HTTPS Utilities

I was going to talk about recent hacks against "secure" web communication, aka. HTTPS (HeartBleed, POODLE, Beast, etc.) but that is a bloated topic.  Instead, I'm just going to demo 3 invaluable utilities for techies specific to TLS/SSL, and show how Amazon makes managing HTTPS so simple that technologists have even more reason to be lazy.

3 HTTPS utilities

1. openssl
2. curl
3. nmap

That's really it.  These utilities have been around for years so there's nothing new here.  A few examples will demonstrate their utility in verification, identification, and negotiation of HTTPS communication.

Identify all secure communication options serviced by website:

$ nmap --script ssl-enum-ciphers www.httpvshttps.com

PORT    STATE SERVICE

22/tcp  open  ssh

80/tcp  open  http

443/tcp open  https

| ssl-enum-ciphers: 

|   SSLv3: No supported ciphers found

|   TLSv1.0: 

|     ciphers: 

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

...

Verify secure communication options negotiable by client, specifically the highest TLS version with RSA authentication and keys, and high AES encryption:

$ openssl ciphers -v | grep 'TLSv1.2' | grep 'Kx=RSA' | grep 'Au=RSA' | grep 'Enc=AES(256)'

AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256

Negotiate a pre-defined secure communication to simulate a web client:

$ curl -v --location --tlsv1 --ciphers AES256-SHA https://www.httpvshttps.com

Amazon HTTPS & ELBs

AWS ELBs (Elastic Load Balancers) make managing HTTPS so simple. These load balancers can be setup with user-defined certificates to terminate secure communication to a website, and are deployed with either pre-defined or user-defined security policies.  When a customer asked me to disable TLS v1.0, I simply change their ELB security policy by removing all the ciphers available for that kind of secure negotiation via a checkbox:

Of course, no good technologist trusts a GUI so I verified that change by using the 3 utilities above :)