Application Security #3: How to find SSL Issues for your assets
One of the usual issues that comes up in the pentest report is SSL/TLS issues. I am sure most of the developers will be familiar with seeing something like:
Weak ciphers in use? … SSL Cipher Block Chaining Cipher Suites Supported …?
Self-signed certificate in use? … SSL certificate cannot be trusted?
SSL Version 3 in use? … TLS Version 1.0 Protocol Detection..?
In reality, the SSL issue are just low hanging fruit in the security assessment but both developers and pentesters, unfortunately, have to spend a lot time on identifying, fixing or explaining the impact. The time which could have been used otherwise for identifying and fixing deeper vulnerabilities pertaining to the application.
I also saw many developers had to go through trial and error fixing the SSL issues and not knowing the issues are remediated until retest is done again.
So, I thought about just going through how to identify the vulnerabilities for your assets instead or validate whether the fixes done actually take effect.
There are two tools well-known tools that can be leveraged for internet facing assets and internal facing assets.
For Internet Facing Assets:
For the internet facing assets, we can easily make use of Qualys SSL Labs here. Is is straight forward by just choosing Test your server link in the website. There are a couple of drawbacks with these tools that needs to be aware: the tool can only scan port 443 and the scan result are (somewhere) public. You can choose to hide your scan by choosing “Do not show the results on the boards”. Anyway, anyone can scan your internet facing asset without much scrutiny so hiding is not really the solution but fixing the vulnerabilities is.
The scan results are quite comprehensive with SSL version support, ciphers and other compatibility checks. The ranking it provide can be added bonus too if you are into measuring stuffs.
For Internal Facing Assets:
When it comes to internal assets not exposed to the internet, you should probably use some open source tool to scan instead. One of the recommended tools can be sslyze here. This tool also give very comprehensive scan results that will help you in identifying and remediation SSL/TLS issues. The following are sample of how the tool works.
In short, I hope this short article can be useful in identifying, verifying and managing SSL/TLS related issues. For what categories of SSL/TLS issues are there and how to fix them, I may probably write a separate article one day.
Take care and stay safe out there!
