Transport Layer Security

OWASP 2013-A6 OWASP 2017-A3 OWASP PC-C1 PCI v3.2- CAPEC-217 CWE-311 HIPAA-311 ISO27001-A.14.1.3 WASC-4 WSTG-CRYP-01

The TLS protocol is used to provide privacy and data integrity between two or more communicating computer applications. When secured by a TLS protocol, connections between a client and a server have one or more of the following properties:-

  1. The connection is private
  2. The identity of parties can be authenticated
  3. The connection is reliable

Transportation layer came from Secure Socket Layer. A careful configuration of TLS will provide additional privacy-related properties like forward secrecy, prevent discloser of encryption keys etc.

Browser Compatibility

For a web application to support all its end users, the application must support all the ciphers the end user might use:-

  • Android Browser: Android browser is the inbuilt browser used in stock android phones. Google Chrome has now replaced the Android browser. The doesn’t support all the latest TLS ciphers; If an application doesn’t support the cipher android browser does, the end users won’t be able to access the web application.

  • Google Chrome: Google Chrome is a free web browser developed by Google. This browser is compatible with Windows, Linux, Mac OS, Android and IOS. Chrome is being used by almost 66% of the users to browse the internet. Older versions of Chrome uses specific ciphers for its TLS connection. If an application doesn’t support any of chrome’s supported ciphers, the end user might not be able to view the application.
  • Mozilla Firefox: Mozilla Firefox is a free and open source software developed by Mozilla Foundation. Every new version of Firefox uses a new cipher for communication. To support older versions of Firefox, the application must support ciphers used by older versions of Firefox. If an application fails to support these ciphers, the end users won’t be able to access the web application.
  • Microsoft Edge: Microsoft Edge is the latest browser introduced for Windows 10. Microsoft Edge was introduced after Internet Explorer. Microsoft Edge is available in Windows 10, Windows 10 mobile and Xbox One. The new Microsoft Edge has few unique TLS ciphers that all applications must support. If an application doesn’t support all the ciphers used by Edge, the end users using Edge won’t be able to access the application.
  • Apple Safari: Apple Safari is a proprietary web browser based on Webkit engine. Safari was introduced by Apple in 2003 for Mac OS and IOS. Safari was introduced for Windows from 2007 to 2012. Older versions of Apple Safari uses ciphers that are now not used. If an application doesn’t support the cipher, the end users would be able to access the web application.
  • OpenSSL: OpenSSL is a commercial toolkit for Transport Layer Security (TLS) and Secure Socket Layer (SSL) with a general purpose cryptography library. Each version of OpenSSL has strong and weak ciphers for encryption. So a web application must support all strong OpenSSL ciphers. If an application doesn’t support any of the end user’s cipher, the application won’t run on the user end.

TLS certificate is issued by a Certification Authority (CA). If the certification is old or expired, the application won’t get executed by the browser. Old certifications by Symantec were vulnerable to man-in-the-middle attacks.

Symantec SSL/TLS

Symantec is an SSL/TLS certificate provided with enterprise-class strength and industry-recognised support distributed under VeriSign. Many web applications are using an SSL/TLS certificate issued by Symantec. Symantec issued SSL/TLS is vulnerable to due to usage of weak and easily breachable ciphers. This vulnerability existed until the certificate issued before June 1, 2016. These certificates won’t function in Chrome version 66 and above. This error will lead to SSL errors to the users, and it will impact the end users of the application. The ‘DES/3DES ciphers’ in the TLS can be exploited to perform a man-in-the-middle (MITM) attack. The attacker can extract plain text from large encrypted traffic. Using the information, an attacker can further intensify the attack by using other intrusion attacks.

Compatibility

Some of the application’s clients might use older operating systems or old web browsers. The old cipher suite is used by all clients back to Windows XP/IE6. For example, your application is being used in the banking sector. There are banks using old server configuration. They won’t be able to access your application. Due to this configuration, the application might lose their customer base.

There are three types of TLS:-

  • Old TLS
  • Intermediate TLS
  • Modern TLS

If the application does support strong cipher suites from old, intermediate and modern TLS, the clients using any of this TLS won’t be able to access the application.

Impact

If the application doesn’t support a cipher, the application won’t run on the user end. This issue might reduce the number of users for the application. The browser might not allow the end user to access the web application. Applications with old TLS certification won’t get executed by Google Chrome version 66 and above.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement the suggestions given by Beagle Security Scanner tool.

Latest Articles