Current SSL Security holes, tips and concerns

Technology and software is always changing and getting better, but with new releases comes new bugs and security holes. Or sometime old bugs and security holes that have only just been discovered come to light. SSL certificates and website security is no exception to this.


In the last few months alone there has been multiple security holes found in the very popular OpenSSL that many servers and websites use, and they had a very great impact on internet and website security.
So how can you make sure your protected against such security holes and bugs found in the software and protocols of SSL? by keeping informed and actioning a fix when you learn about it.

In this article I will go over a few recent security issues with popular SSL software, tools and protocols that has come to light and how you can fix and prevent these security holes.

Why should you monitor your website security.

There is almost no questioning why you should do this. Simply put: things change all the time and something that was once secure a month or day ago might not be secure now.

If you keep monitoring your website security by doing scans or maybe subscribing to a security blog that will notify you of new security issues you can be on top of security and make sure your information and your customers are constantly safe.
We constantly hear about when a well known website or business gets attacked and information that was very sensitive leaked into the public domain. What would happen to your business and customers if this happened to you?

Current SSL security concerns

At the time of writing this article there are a few security concerns that should be well known by now. This even makes it more of a priority to make sure your website and servers are not effected. The more well known they are, the more likely they will be used against you.

The Heartbleed Bug and how it effects your website and server.

This is a fairly serious one and effects the very popular OpenSSL which the majority of web hosts have installed. This security hole allows anyone with bad intentions to steal the information that is suppose to be protected by SSL/TLS Certificates and encryption.
It can effect your website, email, communications and more. Although tricky for attacker to perform it is possible, and so if you have something worth stealing then they may attempt it. And they won’t leave a single trace of it happening.
If at any stage you have been effected by this security hole we highly suggest you get a reissue of your certificate being used.

How do i know if i have the heartbleed bug?

You are very likely to be effected by this bug in one way or another. The fact that OpenSSL is the most widely software to enable SSL encryption on web servers means the bug is very common. It is best to contact your web hosting company or check your server yourself and see if you have been running OpenSSL 1.0.1 through to 1.0.1f.
OpenSSL 1.0.1g released on 7th of April 2014 fixed the bug.

How do i fix the Heartbleed bug?

Contact your web hosting provider to make sure OpenSSL is up-to date or if you administer your servers yourself then simply update your OpenSSL to the latest release.

The FREAK security hole.

FREAK allows SSL Man in the middle attacks. This security hole is not just server side but more client side. It allows an attacker to decrypt secure information that is being communicated between clients and servers.
With a range of operating systems and browsers that use certain SSL/TLS libraries the list of effected users could be long.
`
Google has updated their Android OS and Chrome browser, while apple has also said they have updated their iOS and OS X. So as with all security holes that are found, make sure you have the latest version to fixed them.

If your running any windows operating system which is Windows XP or older it is highly recommend to make sure all your browsers, programs and OS patches are up to date.

If your using Windows Server 2003 or XP you should look at upgrading to a new OS as soon as possible.
Microsoft has release a security advisory here: technet.microsoft.com/library/security/3046015.aspx
which includes a workaround for supported systems.

To test if your browser is effected by this security hole these check out the following online test: freakattack.com/clienttest.html

POODLE attack and what i should do about it

This effects all version of SSL 3.0 and allows a man in the middle attack. The attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.

One of the big problems with this is the fact that most servers with their encryption are backwards compatible to allow users with older browser that may not accept the more secure and up-to date TLS protocols to still get a secure connection. So when a user connects to your website and that user does not want to use the TLS they will then ask to use SSL 3.0 which is less secure.

Even if both client and server support a version of TLS an attacker who can trigger a connection failure can then force the use of SSL 3.0 to open the possibility of an attack

Is the POODLE Security hole fixed

With the security issue related to SSL 3.0, unfortunately the problem can't be fixed in it's own. The only real fix is to not allow the use of SSL 3.0 and force the use of the TLS protocols.

And Major browser vendors such as Google and Mozilla have said that they will deactivate the SSL 3.0 in their upcoming versions.

If you manage some servers we suggest you read these helpful articles on removing the use of SSL 3.0 access.redhat.com/articles/1232123

A Quick and easy tool to check the security of your website

knowing when and how your website might have a security issue can be tricky. But we have a tool we highly recommend that can help. Have a go at this free scanning tool from SSLLabs www.ssllabs.com/ssltest/

But above all, it is best to stay informed of the ever changing world of online security so we also suggest joining some ssl blogs or newsgroups and mailing lists to get notified when a new security holes is found.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


SSLTrust Blog

View our blog covering news and topics in security, certificate authorities, encryption and PKI.

Learning Centre

View more resources on cyber security, encryption and the internet.