A9 Insufficient Transport Layer Protection

Problem and Protection

o  Lost 45.7 Million credit card numbers o  455K drivers license numbers o  Considered a 'worst-case scenario'. o  The attack went for two years before

uncovered. o  Cause: WEP traffic was not encrypted well.

The attackers basically authenticated themselves inside the firewall.

Insufficient Transport Layer Protection

o  Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

o  When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

How attackers do it

o  They use packet sniffers to read the communications over a network

o  Anything unencrypted can be read easily •  Pages (duh)

o  But we forget about encrypting •  Cookies •  Web services •  Intranet communications •  Database requests •  AJAX communication

o  Anything encrypted weakly can be cracked

How we protect ourselves

o  Require TLS for all sensitive pages •  Especially login pages!

o  Set the ‘secure’ flag on all sensitive cookies o  Configure TLS provider to only support

strong algorithms o  Ensure your certificate is valid, not expired,

not revoked, and matches all domains used by the site

o  Don't neglect the backend communications

Require SSL for all sensitive pages

o  Non-SSL requests to these pages should be redirected to the SSL page

o  Every Login page should use TLS •  Because the username and password would be

sent in clear text if they didn't

Make cookies secure

o  Set the secure flag on all sensitive cookies o  This requires them to be sent via SSL HttpCookie c = new HttpCookie("PetsName","Mouser"); c.Secure = true;

o  Do the same for ASP.NET forms authentication cookies in web.config.

<authentication mode="Forms"> <forms loginUrl="Login.aspx" requireSSL="true" .../> …

</authentication>

Use only strong encryption

o  FIPS 140-2 compliant algorithms •  Use AES or Blowfish for symmetric cryptography •  Use SHA-256 or SHA-512 for hashing •  Use RSA for asymmetric (but all are okay)

o  If you use SHA-1 or MD5, please expect to be compromised

Ensure comprehensive certificates

o  Certificate errors desensitizes users to future alerts

o  Keep your certs up-to-date and valid o  Use wildcards for domains

•  Ex: if we have a cert for www.tic.com and we open reports.tic.com, the user sees a certificate error

•  Get a cert for *.tic.com instead of www.tic.com

Don't forget about the back end

o  Sniffers can see more than just web pages. o  When sensitive, you should use TLS for:

•  JavaScript files with business logic •  AJAX calls •  XML web services •  Database communications

Summary

o  Attackers use network sniffers to get to our sensitive data

o  We should use TLS/SSL to protect: •  Pages (especially login pages) •  Cookies •  Web services & other backend processes

o  Only use strong cryptographic ciphers like AES and SHA-256

Further study

o  Secure cookies white paper: •  http://bit.ly/SecureCookies

o  How to harden databases: •  http://bit.ly/HardeningDatabases

o  Wireshark information and download: •  http://wireshark.org