Note: This blog article about TLS SSL Vulnerabilities is currently a living document and will be added to it on an ongoing basis.
If you put anything on the internet or host anything internally which provides personal or sensitive information you should ensure that your security is set up correctly and that any old or legacy security features are disabled to help reduce your area of risk. In fact, this should be the case no matter what you are doing as cyber best practice. However, one of the areas that I always see on penetration tests, vulnerability assessments and Cyber Essentials Plus audits are weak or insecure TLS SSL VulnerabilitiesL configurations, whether this is vulnerabilities, weak cyphers or hashes, it comes down to ensuring these are addressed as soon as possible.
This blog post aims to help you read up on these TLS SSL Vulnerabilities and help you address them without having to search the internet for information.
There are many ways to check to see if you have a week or insecure SSL cyphers in place, some of the popular tools to check for these are:
The bar mitzvah attack, which was assigned CVE-2015-2808, is an attack that targets the SSL/TLS protocols and attempts to exploit the use of the RC4 cypher with weak keys for that cypher. RC4 cyphers have been around for a long time and are no longer recommended to be used within any environment due to their insecurities.
The RC4 cypher has been around for a long time, it’s been around say the dawn of the internet. It was invented by Ron Rivest and it was widely adopted and still is to this day. However, it’s been more than 15 years since security researchers discovered security weaknesses within the RC4 cypher, weaknesses that could allow attackers to decrypt the keystream. This could and can causes issues with protecting data and should be disabled/removed from systems as soon as possible.
RC2 is an old cypher and was originally designed to be a replacement for DES, however, it is extremely insecure and contains many security weaknesses. This cypher is not around as much these days. It is a symmetric key block cypher that was designed by Ron Rivest in 1987.
The Triple-DES (3DES) cypher is a symmetric key block cypher that applies the DES cypher three times by encrypting the first key, decrypting with the second key and encrypting with the third key.
It is recommended that 3DES is no longer needed following a security analysis and demonstration showing attacks against 3DES in real-world examples in 2017, in 2017 NIST restricted the usage to 220 64-bit blocks using a single key bundle, thereby making it useless for TLS and IPSec or large file encryptions.
The Data Encryption Standard (DES) cypher was developed in the early 1970s by IBM. It contains a short key length, 56 bits, making it too insecure in today’s world to secure anything.
The NULL cypher is a really old cypher that can also be known as a concealment cypher. It is a cypher that encrypts plaintext content with a large amount of non-cypher related material.
SHA1 has been flagged by all the major companies that this hashing algorithm is weak and insecure, due to this, it was decided that it should no longer be used for anything.