Herunterladen
Teilen
Marc Walzer
Sicherheits- und Datenschutzbeauftragter bei Sherpany

Weak TLS Encryption: a wide-spread risk

Since the 24th of July Google Chrome is taking a stand against websites which are not using secure connections. The broadly used web browser now marks all websites as insecure if they are not using HTTPS by default.

When accessing a website, your browser is communicating with the server through the internet. If the traffic is not adequately protected it can be read and modified by any hacker that manages to break into the connection between browser and website. This opens up a variety of threats including but not limited to exposure of sensitive information (e.g. credit card information, passwords) or the injection of malicious code which could be executed on your computer. With a HTTPS connection, all communications are securely encrypted, but the devil lies in the detail.

HTTPS uses a method called Transport Layer Security (TLS) to encrypt data in transit. When your browser sends a request for a HTTPS connection, the server will initiate the TLS-handshake. This procedure authenticates the identity of the server and then negotiates respective TLS-ciphers used for the secure session.

TLS ciphers

The ciphers which are negotiated during the TLS-handshake define the algorithms to secure data in transfer during an HTTPS session. A cipher looks like this:

Example_TLS_cipher
Source: www.nginx.com


How the algorithms work or their specific purpose is out of scope of this article. It is important to understand that the whole TLS-encryption is only as strong as its weakest link. This means that if only one of these four algorithms can be broken, the security of the whole HTTPS-session is compromised. Therefore, a provider should regularly disable weak and outdated ciphers on the server-side to prevent insecure connections.

The online service SSLLabs performs a deep analysis of the configuration of any TLS web server. You can easily generate a comprehensive report about the security of any website, which is rated from A until F (where A is top and F is flop). Based on the in-depth analysis of the enabled TLS-ciphers, the report provides information regarding the certificate, enabled protocols, known vulnerabilities and the browser compatibility. It should make you think, if you see outdated browsers in the list.

Vulnerable board portals?

In our line of business very sensitive information is being processed. Proving that Sherpany takes security seriously, its solution is graded A+ which stands for “Servers with exceptional configurations”. Our DevSecOps team constantly invests a lot of time to configure the server in a way that not only ensures the highest level of security, but also compatibility with a broad variety of browsers.

Doing research we have realised that surprisingly not all board portal providers have configured their servers as rigorously as we do. We have found several instances where even the use of weak ciphers was enabled. This can potentially lead to a compromised HTTPS session where hacker is able the read and alter all communications between the server and the browser.

Conclusion

Your meeting management software might be vulnerable, go ahead and check it with SSLLabs. At Sherpany we believe that security has to be approached in a holistic way and it is obviously not enough to simply claim having TLS in place. To be able to provide a secure cloud-solution, one has to look into details.

Marc Walzer
Sicherheits- und Datenschutzbeauftragter bei Sherpany
Marc Walzer verfügt über einen MSc für angewandte Wissenschaften (FFHS) im Bereich ‘Information System Research’. Bei Sherpany ist er verantwortlich für Informationssicherheit und die angemessene Verarbeitung von personenbezogenen Daten.

Read more about security on our Insights and Resources page.

Einblicke und Ressourcen

facebooktwittergoogle-plus2linkedin2envelopsearch

Einblicke und Ressourcen

Sherpany bietet Unternehmensnews, Fachartikel, exklusive Interviews, Fallstudien und Best Practices zur Digitalisierung und Transformation der Meeting-Kultur von Verwaltungsräten, Führungskräften, Generalsekretären und Generaldirektionen.

Beispiele umfassen Inhalte zu:

  • Board Portalen und Meeting-Management-Softwares
  • Digitalisierung und digitale Sitzungen
  • Verwaltung & Compliance
  • Effiziente Leitung

Demo anfordern

Füllen Sie das folgende Formular aus und Sie werden so schnell wie möglich kontaktiert.

Kontaktieren Sie uns

Wenn Sie mit uns über unsere Lösung sprechen möchten oder spezielle Wünsche haben, kontaktieren Sie uns und wir werden uns in Kürze mit Ihnen in Verbindung setzen.

Preisanfrage

Füllen Sie das folgende Formular aus und Sie werden so schnell wie möglich kontaktiert.

La newsletter non è al momento disponibile in italiano, La preghiamo di iscriversi ad una delle seguenti lingue: