SSL and TLS

shochanshochan Member Posts: 962 ■■■■■■■□□□
edited May 19 in Cryptography & PKI
I was just curious how some of you cybergurus are dealing with the many SSL and TLS vulns on your network.  There seems to be like 10-15 different kinds.  Most are mediums, so, its not that pressing on trying to figure out the best method to mitigate them.  BUT it still is a loophole on your network.
Are you just creating your own TLS v1.3 certs, or purchasing them from Cert Auth? or simply accepting the risk they pose? 
A lot of them are dealing with weak ciphers.
Obviously, you want to get away from SSL certs all together.
Please share how you are fixing them, if you want to.
Thoughts and comments are welcome!
Cheers & Hi5!
2021 Goal ~ OSCP

Urban Achiever~ A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+
A.A.S - CIS

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,260 Admin
    Replacing certs as they expire, mandatory org metadata present, new certs use strong(er) encryption/hashing, and expiration date is maximum one-year. Always get certs from a prominent certificate authority.
  • FluffyBunnyFluffyBunny CISSP, OSCP, CEH, RHCE, GCCC, Pentest+, PSM-1, alphabet soupMember Posts: 143 ■■■■□□□□□□
    > "Are you just creating your own TLS v1.3 certs, or purchasing them from Cert Auth? or simply accepting the risk they pose? "

    Anything out on the web gets bought via an external cert auth and as JDM says: replace when expire. 

    Anything internal gets certificates from one of our internal PKIs. With tens of thousands of servers, applications and identities we A) don't want the expense, and B) don't want all those identities known to the outside world. For internal systems there's a two-pronged approach: replace-when-expired and vulnerability scanning reports which will flag anything at 1.1 and below as an issue. 
    CISSP, OSCP, CEH, GCCC, RHCSA, RHCE, Pentest+, Linux+, PSM-1, alphabet soup...

    2020: Renew RHCE (with EX407), CompTIA CTT+, Autopsy forensics, Applied Purple Teaming (BHIS) All done!
    2021: Modern Web-app pen-testing (BHIS), PDSO CDP, Docker DCA, PortSwigger Burp Suite class.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,260 Admin
    I forgot to include: no self-signed certs, and all software developed in-house must be signed when it is built and/or before it is run in a production enviroment.
  • scascscasc Member Posts: 398 ■■■■■□□□□□
    TLS 1.3 fixes the issues that reside with 1.2 - in that there is no support for PFS if you are not using ECDHE (i.e. using RSA for key exchange) and use of the vulnerable ciphers prone to downgrade attacks such as Beast, Drone etc. 

    As mentioned, internal PKI used for internal apps so identities not known outside and external CA used for public facing assets. When using AES - use it in GCM - which is authenticated encryption and not CBC for example. 

    There needs to be a process in place to roll over, revoke and disseminate your x509 certs. For example, AWS use ACM to manage this for you - place it on ALB/API-G/CDN.

    You find servers still support less than TLS 1.2 for backward compatibility and the endpoints accessing those servers cannot negotiate 1.2. Which opens you to attack but its again a risk v benefit conversation.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,280 Mod
    Sorry to Hijack this thread but a relevant questions...

    Any thoughts on "EV certs" ?


    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,260 Admin
    Software developers who use code signing use EV certs to identify their executable binary files.
Sign In or Register to comment.