Download
Condividi
Marc Walzer
Responsabile della sicurezza e della protezione dei dati presso Sherpany

Weak TLS Encryption: a wide-spread risk

Since the 24th of July Google Chrome is taking a stand against websites which are not using secure connections. The broadly used web browser now marks all websites as insecure if they are not using HTTPS by default.

When accessing a website, your browser is communicating with the server through the internet. If the traffic is not adequately protected it can be read and modified by any hacker that manages to break into the connection between browser and website. This opens up a variety of threats including but not limited to exposure of sensitive information (e.g. credit card information, passwords) or the injection of malicious code which could be executed on your computer. With a HTTPS connection, all communications are securely encrypted, but the devil lies in the detail.

HTTPS uses a method called Transport Layer Security (TLS) to encrypt data in transit. When your browser sends a request for a HTTPS connection, the server will initiate the TLS-handshake. This procedure authenticates the identity of the server and then negotiates respective TLS-ciphers used for the secure session.

TLS ciphers

The ciphers which are negotiated during the TLS-handshake define the algorithms to secure data in transfer during an HTTPS session. A cipher looks like this:

Example_TLS_cipher
Source: www.nginx.com


How the algorithms work or their specific purpose is out of scope of this article. It is important to understand that the whole TLS-encryption is only as strong as its weakest link. This means that if only one of these four algorithms can be broken, the security of the whole HTTPS-session is compromised. Therefore, a provider should regularly disable weak and outdated ciphers on the server-side to prevent insecure connections.

The online service SSLLabs performs a deep analysis of the configuration of any TLS web server. You can easily generate a comprehensive report about the security of any website, which is rated from A until F (where A is top and F is flop). Based on the in-depth analysis of the enabled TLS-ciphers, the report provides information regarding the certificate, enabled protocols, known vulnerabilities and the browser compatibility. It should make you think, if you see outdated browsers in the list.

Vulnerable board portals?

In our line of business very sensitive information is being processed. Proving that Sherpany takes security seriously, its solution is graded A+ which stands for “Servers with exceptional configurations”. Our DevSecOps team constantly invests a lot of time to configure the server in a way that not only ensures the highest level of security, but also compatibility with a broad variety of browsers.

Doing research we have realised that surprisingly not all board portal providers have configured their servers as rigorously as we do. We have found several instances where even the use of weak ciphers was enabled. This can potentially lead to a compromised HTTPS session where hacker is able the read and alter all communications between the server and the browser.

Conclusion

Your meeting management software might be vulnerable, go ahead and check it with SSLLabs. At Sherpany we believe that security has to be approached in a holistic way and it is obviously not enough to simply claim having TLS in place. To be able to provide a secure cloud-solution, one has to look into details.

Marc Walzer
Responsabile della sicurezza e della protezione dei dati presso Sherpany
Marc Walzer è in possesso di un diploma di MSc (Master of Science) in scienze applicate (FFHS) nel settore ‘Ricerca Sistemi Informativi’. In Sherpany è responsabile della sicurezza delle informazioni e garantisce il corretto trattamento dei vostri dati personali.

Read more about security on our Insights and Resources page.

Approfondimenti e Risorse

facebooktwittergoogle-plus2linkedin2envelopsearch

Approfondimenti e Risorse

Sherpany fornisce business news, articoli di esperti, interviste esclusive, casi-studio e best practice sulla digitalizzazione e sull'evoluzione delle riunioni del CdA, delle direzioni aziendali e delle segreterie societarie.

Gli esempi di contenuti riguardano:

  • Board portal e software di gestione delle riunioni
  • Digitalizzazione delle riunioni
  • Governance e compliance
  • Leadership

Richiedi una demo

Compila il seguente modulo e sarai ricontattato al più presto.

Pulsante Contattaci

Se desideri maggiori informazioni sulla nostra soluzione o hai richieste specifiche, contattaci e ti ricontatteremo a breve.

Richiedi prezzo

Compila il seguente modulo e sarai ricontattato al più presto.

La newsletter non è al momento disponibile in italiano, La preghiamo di iscriversi ad una delle seguenti lingue: