SSL is secure socket layer, also normalized as TLS known as Transport Layer Security and it is mainly used for secure transmission of data between the client and server and in this article we are going to discuss on some of the SSL Security issues and how we may safe guard our self from these SSL security issues.
SSL (HTTPS) is used to protect the sensitive data transmission from client to server and vice versa. It is know that if SSL is not used, meaning HTTP is enabled then it is easy for someone having access to network to sniff the traffic and capture the sensitive information in plaintext. Using any SSL is not secure as there are some SSL Security issues as well which we are going to discuss now.
When using SSL/TLS we need to check for
- The version of SSL/TLS being used as some of the versions are vulnerable and are not safe to use. It is recommended to use TLS 1.1 or TLS 1.2 for secure transmission of data.
To check which versions of SSL are supported, use TestSSLServer tool or THCSSLCHECK or nmap script or simply run a scan on one of the websites online which provide this service.
a.) Using TestSSLServer, run the below command to check which version of SSL are enabled
TestSSLServer.exe -v -text test.txt siteurl portnumber_usingSSL
b.) We may quickly scan online to check this, it also provides detailed information about other SSL security issues.
- We also need to check for the cipher suites used for encryption and transmission of data. The above tools also showcase this information, we need to verify if the recommended 128 key bits are used or even the lesser key bits are allowed for encryption.
- Make sure that the Certificate is valid and has been signed by a trusted party. This can be verified by looking into the certificate details.
- Ensure that the application is not accessible via both HTTP and HTTPS. If HTTP access is also enabled then sensitive data is transmitted in plain text.
- Use HTTP STRICT TRANSPORT HEADER (HSTS) which enforces the application be accessible or available via HTTPS only.
- Check for any sensitive cookie of the application and have that Cookie Secure attribute set to true. This allows the cookie value to be transmitted via only secure channel.
- Check for latest SSL weaknesses and be ready to apply patches as available.
Hope this article provided some of the valuable information on SSL Security issues. If you liked this article, please share it with your friends.