A Slashdot story last week discussed how 90% of all SSL VPNs use weak, obsolete encryption. And one comment said, “So? A weak VPN is better than no VPN.”
Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
A commenter asked me last week if I really believe the lock in a web browser means something.
I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.
So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.
I was doing some scanning with a new vulnerability scanner at work. It found something listening on a lot of servers, described only as Apache and OpenSSL listening on TCP port 2381. The versions varied.
Luckily I also had Qualys at my disposal, and scanning with Qualys solved the mystery for me quickly. It turned out to be the HP System Management Homepage, a remote administration/diagnostic tool that, as the title says, lets you manage HP server hardware. It runs on Windows, Linux, and HP-UX. Read more
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.
Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”
Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.
I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.
Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.
Network professionals: Block as much UDP at the firewall as you can.
Read on for more. Read more
Veteran blogger John Dominik reported yesterday that upgrading to Firefox 13 fixed some problems for him. So of course he’ll be thrilled to know that Firefox released a new version the very next day. The. Very. Next. Day.
From a security standpoint, there are two things to like about the new version.