There are far more ways to apply encryption incorrectly than there are ways to apply it correctly. Sadly, many people think they already know everything they need to know about encryption because they have read a few articles online. Recently, I published an article in which I discuss methods for assessing your HTTPS posture. While I was specifically focused on internal systems where you have some degree of control or are obligated to inform those who do have the degree of control, it is also extremely important not to overlook the necessity of performing the same type of assessment against vendor solutions.
Many times, I have pressed vendors for details regarding security only to receive the responses, “I do not have the information,” or my personal favorite, “It is encrypted.” Not having the information is inexcusable, and responding with, "it is encrypted" is arguably even worse. It implies they cannot articulate the details and they hope that you simply nod your head and not ask any further questions.
When considering HTTPS posture, there are a few key points to keep in mind. While these points do apply to internal configurations, they especially apply to vendor-provided solutions and information:
- Question everything. "It is encrypted" is a class of answers, not an answer on its own. The question is how it is encrypted. It is akin to someone asking what you like to eat and you replying, "food."
- If a vendor ever says that they use proprietary encryption (I am still shocked at how often I encounter this), it is a very bad sign. It borders on a statement of ineptitude.
- Evaluate what is meant when an enterprise says, "we do not share that information." Similar to the previous point, this statement implies the vendor does not fully understand the subject. If they were applying encryption correctly, they would proudly proclaim the details to anyone who asks.
- Ensure weak ciphers and protocols are explicitly disabled. It is not uncommon for a vendor to say something like, "we use TLSv1.2," and while this is ideal, it does not reveal what else is enabled. For example, using TLSv1.2 but leaving SSLv3 enabled largely defeats the purpose.
The previous points will help drive out the true encryption details. By clarifying these details, , the level of security not only increases, but the level of understanding of how security is implemented also increases.
Read Kurt Kincaid’s recent Journal article:
“HTTPS Posture Assessment,” ISACA Journal, volume 3, 2017.