Since the 24th of July Google Chrome is taking a stand against websites which are not using secure connections. The broadly used web browser now marks all websites as insecure if they are not using HTTPS by default.
When accessing a website, your browser is communicating with the server through the internet. If the traffic is not adequately protected it can be read and modified by any hacker that manages to break into the connection between browser and website. This opens up a variety of threats including but not limited to exposure of sensitive information (e.g. credit card information, passwords) or the injection of malicious code which could be executed on your computer. With a HTTPS connection, all communications are securely encrypted, but the devil lies in the detail.
HTTPS uses a method called Transport Layer Security (TLS) to encrypt data in transit. When your browser sends a request for a HTTPS connection, the server will initiate the TLS-handshake. This procedure authenticates the identity of the server and then negotiates respective TLS-ciphers used for the secure session.
The ciphers which are negotiated during the TLS-handshake define the algorithms to secure data in transfer during an HTTPS session. A cipher looks like this:
How the algorithms work or their specific purpose is out of scope of this article. It is important to understand that the whole TLS-encryption is only as strong as its weakest link. This means that if only one of these four algorithms can be broken, the security of the whole HTTPS-session is compromised. Therefore, a provider should regularly disable weak and outdated ciphers on the server-side to prevent insecure connections.
The online service SSLLabs performs a deep analysis of the configuration of any TLS web server. You can easily generate a comprehensive report about the security of any website, which is rated from A until F (where A is top and F is flop). Based on the in-depth analysis of the enabled TLS-ciphers, the report provides information regarding the certificate, enabled protocols, known vulnerabilities and the browser compatibility. It should make you think, if you see outdated browsers in the list.
In our line of business very sensitive information is being processed. Proving that Sherpany takes security seriously, its solution is graded A+ which stands for “Servers with exceptional configurations”. Our DevSecOps team constantly invests a lot of time to configure the server in a way that not only ensures the highest level of security, but also compatibility with a broad variety of browsers.
Doing research we have realised that surprisingly not all board portal providers have configured their servers as rigorously as we do. We have found several instances where even the use of weak ciphers was enabled. This can potentially lead to a compromised HTTPS session where hacker is able the read and alter all communications between the server and the browser.
Your meeting management software might be vulnerable, go ahead and check it with SSLLabs. At Sherpany we believe that security has to be approached in a holistic way and it is obviously not enough to simply claim having TLS in place. To be able to provide a secure cloud-solution, one has to look into details.
Read more about security on our Insights and Resources page.