I was busy finishing off the build of this website when FREAK started to make the news. Being an avid Mac user I was stuck with both a mobile and desktop platform that was vulnerable to the FREAK Attack (FREAK stands for Factoring RSA Export Keys).
Whilst I waited for Apple to create a patch for my phone and laptop, I thought it might be a good idea to check to see if my hosting company (GoDaddy) had been proactive and set their standard platform to enforce a credible amount of security on all their connections.
It was about now that I discovered that I was protecting against FREAK, but it came as quite a shock that this domain only obtains a ‘B’ rating , which let’s be honest, is a pretty poor show for a security company like ourselves. (you can stick any URL into the Qualys / SSL Labs site checker tool and find out how well they rate).
FREAK is just the latest newsworthy item in a recent spree of long-time vulnerabilities that have been exposed. Secure Sockets Layer (SSL) is now a dead-duck and must not be used for secure communication any more, and even its successor Transport Layer Security (TLS) has many limitations and only its latest incarnation (v1.2) should be used and must be combined with a suitable encryption cypher.
Unfortunately this is where GoDaddy have introduced a vulnerability to UnshakeableSalt.com and the main cause for us only getting a ‘B’ rating – as they allow for the use of the particularly weak RC4 algorithm.
March 2015 marks the two year point since there were significant advancements in the approaches to breach RC4, as well as the discovery of a series easily exploitable weaknesses. It’s also four years since the BEAST attack was first disclosed and RC4 was reluctantly used to avoid vulnerable cypher block chaining (CBC) suites that existed in in the now depreciated TLS v1.0.
Are we vulnerable to FREAK, SSL & RC4?
To be an exemplar of good information security and show how to do it properly, unshakeablesalt.com should have both Forward Secrecy enabled and RC4 disabled, neither of which GoDaddy will allow to us to configure. We aren’t serving you FREAK vulnerable pages, but if you are connecting using TLS and are dropping down to RC4 for encryption then it is possible to intercept traffic between server and client.
The only saving grace for GoDaddy is that SSL ( all versions ) have been disabled, although it is still possible to use TLS v1.0 with RC4, the very vulnerable combination as mentioned above.
So are we now Shakeable Salt ?
Well we could be – as there is a risk that traffic from this site could be intercepted.
We do not however process, transmit or hold any sensitive or confidential data on this site, which does in fact mean there is little gain in anyone trying to intercept our traffic. There is of course the risk of Reputational Damage to Unshakeable Salt Ltd by someone demonstrating that they are intercepting supposedly secure communications between a client and a security company.
To reduce this risk we could move to a different hosting partner, or move to a dedicated host. Both of which would give us more freedom over our configuration choices, both of which would cost more time, money and burn resources that we would rather divert in providing services.
We will still pursue and harass GoDaddy until they allow their clients to remove RC4 (primarily) and enable Forward Secrecy, but in the mean time we have made this blog post to highlight that we know about it – and we are more than happy to talk about it in an open and transparent way.
Lets be honest – if we hadn’t pointed out that this site had a TLS vulnerability – would you have spotted it ?
Security gets hip
Security and banks should be synonymous, after all there is regulation up to the...