OWASP Series - Insecure Communications

May 14, 2008

A9 - Insecure Communications
"Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications."

Most people realize that for Ecommerce related sites that they need a SSL certificate. That has been drilled into people from the early days of the Internet. However, most people will not look at this topic with any degree of depth. Many applications, not just Ecommerce, may require the use of SSL security. Perhaps your application handles employee information or health information; it doesn't take much to realize the danger of not properly securing this information and its transmission.

When updating a web application, are you using FTP over SSL or SFTP? The standard ftp protocol is not secure and is transmitted in clear text. You could be exposing your ftp login, application files and the data they protect.

If you are using a remote desktop tool, do you know if it is properly securing your session? VNC, a popular remote desktop tool, is not by default encrypted. There are tools/patches to correct this like stunnel.org or UltraVNC. Windows Terminal Services uses a 128bit encryption but not all items in a session are encrypted (http://support.microsoft.com/kb/275727). Are you using a VPN? If so, are you using a strong protocol?

If you are using SSL on your websites, are you using a strong cipher? Foundstone has a free tool called SSLDigger (http://www.foundstone.com/us/resources/proddesc/ssldigger.htm). You can use SSLDigger to see if you are supporting weak ciphers and possibly exposing your information. By default IIS will support several weak ciphers that should be turn off to prevent their use. By default, browsers will use the strongest cipher available, but there is no reason to possibly allow a weak cipher to slip through the cracks.

If you are using weak ciphers, they are fairly easy to fix.

IIS
http://support.microsoft.com/?id=187498
http://support.microsoft.com/kb/245030/

Apache
View the Apache HOWTO Guide

Email is another form of communication that is usually conducted without security. Did you know that all the email protocols (IMAP,POP3,SMTP) have SSL encryption available? You will need to check with your ISP to see if they support it. Now this secures the traffic between your email client and your ISP. Which can be handy if you are at a conference or using a public network, but the email transmitted between service providers is still vulnerable? There is a solution for this as well. Free email certificates are available to secure your emails (http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html).

You probably got the idea at this point that you need to look at all the ways you touch and manage your applications from ftp to database management tools, but these examples look at external communications, are you encrypting your internal communication: between web and database servers or LDAP communication, etc. In many cases internal communications between systems need security. In that earlier example, I talked about an application that contains employee information. Let us say this application contains salary information. Does that need to be protected internally? Another example is to treat the internal network as hostile so that if it is ever compromised, your application stands a chance of surviving.

Comments

John Mason

John Mason wrote on 05/16/084:00 AM

I should also mention that Flex, Flash and AIR applications make this very important as well. I see developers all the time having their Flex applications transmit information unsecurely to a server, and not even considering the danger this creates. I think people forget what is running on the server side and what is running on the client. Also if you have trace calls in your code that a person with a debugger version of Flash player can read, or some authentication written into your code that a decompiler can pull out. There's a lot to consider, so be careful. AS3 is missing built-in hashing and encryption functions, but thankfully there are some open source solutions like as3corelib, http://code.google.com/p/as3corelib/

Write your comment



(it will not be displayed)