How to Avoid SSL Bypass Vulnerability

[Orton]

As the web expands, so the threats. I was going through certain articles to protect a website in more secure manner. Under that case I landed on a different topic which says how much secure a SSL is. SSL is not common to many. It is a complex technology which provides you a protected content over web. In simple word you can lock your website and share the key with only those whom you want to access your site. But can some bypass SSL also? The answer is yes. Due to low practices this can happen.

It can happen that you are not aware that still your protected content is viewed and shared over web. What is the solution for that? The first question appears in my mind. I did not find an actual way to get rid of it. But there are some things that can be avoided. I will try to put more highlight here how a SSL can be bypassed, so that end user can stay aware. It is not a threat, but it is a failure of service. What if you are paying a nice amount to some third party service that provides you SSL certificate and that fail to comply with security terms? Along with that, your protected content is still visible by non ethical way. SSL is used by email services, banks, education institutions, government and private firms, to protect confidential information from other.

Compared to a regular website, SSL protect website is different. It consists of some exclusive information that cannot be shared on public. This information can related to important business matters, online transaction, etc. Also when a SSL is applied the user enters via secure tunnel. That means no one other than an authenticated user can access the site content. So in short you stay safe. But this is not the right scenario here. I will not say that you are completely insecure, but in my views you must stay aware with existing and upcoming vulnerability.

Recently I got an update Cisco CSS 11500 Series Content Services Switches has a vulnerability that can cause SSL vulnerability. That means a person can access the protected content by taking benefit of that vulnerability. Here you can do nothing, because on the hardware level this bug appears. If you are one of those who are using these Switches should learn that notice on Cisco site. According to the vulnerability, the server security can be bypassed through improper settlement of SSL clients no SSL session. At this time the client ssl can be bypassed.

There are some complicated technical terms that are needed to be checked and verified by your system admin. So once just have a look on the vulnerability notice. Second thing if you are using Cisco devices keep an eye on the regular notice issue by them. There are chances that your hardware is not completely secure. Vulnerability just does not appear directly on software level. There are chances that the hardware that we are implementing on our network might come with bugs which appear only after a specific time interval. At that point it is necessary that you must remain focus on news and take necessary measure. Manufacturers provide an official notice on web, which guide how to secure you. Some of them even provide you replacement if there is any major issue. Like the one that I had mentioned in first paragraph about Cisco CSS 11500 Series switches. To fix the vulnerability there is a small update provided on the same. So the first duty of network admin is to run those provided patches and avoid direct access to protect content. There are some black hat techniques that can be applied to bypass SSL. It does not matter that you go for dedicated hosting for SSL support or either your own dedicated device for setting your intranet site for SSL support.

[Orton]

SSL is quiet essential and will be an important part in coming future. Today this is widely used for online transaction. SSL protect sensitive information getting on web. Like you will never like your credit card number moving widely over internet. SSL can be bypass with some tools also. Someone can access your HTTPS traffic without your knowledge. What matters mostly is protection of sensitive information. Banking industry spend a heavy amount is implementing a powerful SSL security to protect their users interest. It is sad to know that then also it is vulnerable to attack. Attackers will use their best tool to access information and use them for un-ethical work. There are number of conference held worldwide which discuss on such attacks and security hole. But do they really guide end user who is going get affected the most. Surely no one likes to go in detail. Because there is no time for that. Let’s remove the enterprise from the list. They will spend a huge amount to protect them. What about a regular end user who cannot spend much on the same. Are they secure? They are but to some extent. Depends on the server they are on.

At that point we do not like to comprise with the security by implementing something new. I had noticed that in last couple of years many new applications were installed on web server which ensures maximum protection. As this application is mostly focused on protection business apps rather getting to sensitive with data protection. Some this app cannot be implemented by everyone. Talking about public sector they go for the best. Today many website maximum rely only on SSL encryption. Is there any way other than that? I think no. SSL usually helps to bifurcate between authenticated and non-authenticated traffic. So here at the source point threat is blocked. But what if someone does not goes by that way. I mean to say if a person uses some third party tool which a SSL cannot read or block, then the entire content remains expose on web. Yes there is no major attack appeared in recent years on SSL based websites. To implement SSL you need to give an open port which by default is 443. Many companies ignore monitoring the traffic coming via 443. 443 is an open door for those you are authenticated by SSL. But this is an open door.

Surely there is a guard on the standing (SSL) but that do nothing for ghost. Attackers use phantom mode to enter. They remain undetected. But server logs are something which can show appearance of usual activity. So first that that is needed is to ensure a regular security check of every log. The traffic must be monitored properly. Do not just rely on the SSL only. Open ports are too risky it does not matter what they are used for. Second thing a proper policy control is needed. That means your server admin must be responsible to create and implement appropriate server security policies. This polices consist of various things like bandwidth restriction, data usage limit, access rights, etc. This polices must be change after a regular time interval and security audits must be carried on. There are rumors that a new type of spyware is going to bypass SSL more easily. This spyware can be responsible for different phishing attacks which can affect end users. This can create a matter of doubt in the mind of people who use internet banking. One thing, if you are a user then you must keep an eye on what secure technology your firm is using.

You can ask them or read on their website for information. One thing that can be easily initiated to avoid major data outflow is proxy server. I had seen that many business networks mostly migrate to proxy server for user access. So if something happens or a server is infected the central server remains more secure. The data remains safe and services can continue even after terminating the proxy server. Another thing implementing a SSL does not means a user cannot have a privacy of his content. To some extent it becomes unethical to monitor everything. Still hackers do not stay quiet. They try their best to affect the web. You can hear news that a new tool is released to cause SSL penetration. These tools are released for novice to test. At this point it is not easy for security firm to control the attacks. Also it is not possible to monitor the entire web. It is more vast and keeps on increasing. Also there are many aspect which are not knows to everyone. At a SSL level an end user can do nothing. The entire responsibility of the same lies on bigger enterprise that provide service related to that.