Tag Archives: logjam

WP Engine rolling out support for TLS 1.2

201506080-ssllabs.com-a-minus-grade-scottontechnology

I have recently noticed, first on a client’s site, then this site, that WP Engine is rolling out support for TLS 1.2.

Also numerous other improvements including

  • Removing weak Diffie-Hellman (DH) key exchange parameters. Going from a 1024-bit to 2048-bit group. (think Logjam)
  • Adding additional cipher suites
  • Supporting TLS_FALLBACK_SCSV to prevent protocol downgrade attacks
  • Additionally supporting TLS 1.1

I have been using TLS with WP Engine on this site since April 10th, 2015 and in just under two months have seen my overall rating from Qualys SSL Labs improve from a C to a B to an A-.

Graham Cluley, who also hosts with WP Engine, mentioned in his post, And it’s goodbye to HTTP from this website…, that he switched over on March 3th, 2015 and quickly replied to a comment that, “Unfortunately at the moment my hosting provider doesn’t offer TLS 1.1 and 1.2.”

Well good news for Graham, his server configuration has also been updated and he is scoring an A- as well.

201506080-ssllabs.com-a-minus-grade-grahamcluley

and this from back in November 2014

The most “bank grade” secure of Milwaukee County bank websites

Only 3 sites passed our Milwaukee County bank website security review. Who passed and who failed?

The following are results and analysis of a snapshot of SSL Labs Server Tests of Milwaukee county’s state chartered banks’ web servers performed June 2nd, 2015.

View full-screen in a new tab

Results are sorted by:

  1. Grade (A to F followed by sites that don’t use secure protocols & failures), then by
  2. Number of failed tests (ascending), then by
  3. Bank name

Clicking the name of the bank in column A will take you to the SSL Labs report page for that bank’s website  or 3rd party service it uses for online banking (that is why most of the bank names and domains tested in the report don’t directly match.)

Findings

3rd party services are prevalent

As far as I could tell, none of these banks used their own services for managing the actual financial portion (online banking, credit card processing, online deposits, etc.).  They all outsourced to 3rd party services, which you’d think would be more secure since many clients are managed from the same service.

From a confidence and usability standpoint, it should be noted that none of these banks inform or disclose that the user will be redirected to a 3rd party service.

The F (many issues including SSL 2 enabled)

Waterstone Bank’s website got the one and only F grade.   Their server still supports SSL 2, which is obsolete and insecure.  This alone capped their grade to F.  They were also one of two that had SSL 3 enabled.

Additionally, the HTTP version of their site doesn’t automatically redirect to the HTTPS version, which wouldn’t do them much good at this point.  I didn’t go through all the pages, but there doesn’t appear to be any user information that passes through the HTTP or F-grade-receiving-HTTPS-page.  The Account Access links for business and consumer banking link directly to the 3rd party service via HTTPS.

The only A

Metavante’s RemitPoint solution used by Park Bank earns the only A grade.  According to this press release, RemitPoint provides “a centralized image-based remittance processing service.”  The only way for them to get an A+ is to enable HTTP Strict Transport Security support with a max-age of at least 6 months.

Two A- Websites (the other 2 of 3 A grades)

So there is only one bank’s website (not the portion where the online banking occurs) that received an A- grade.  Congrats to Layton State Bank.

Also, only one 3rd party banking service, Park Bank Business Credit Card – Administrator from FIS received an A- grade.

Neither support Forward Secrecy which would boost their respective scores.

 The grade breakdown

  • A grade (A or A-): 3/20 – 15%
  • B grade: 2/20 – 10%
  • C grade: 14/20 – 70%
  • D grade: 0/20 – 0%
  • F grade: 1/20 – 5%

No secure protocols supported: 2

Assessment failures: 2

Sites without secure protocols

The first is Columbia Savings and Loan Association’s website, which is purely informational.  There are no links to online banking or other login fields for customers.  However, the “Owner Login” link does not target a HTTPS page nor does the login form within.

The second is The Equitable Bank’s website.  The “Access ID” field targets a secure endpoint, but the page itself isn’t secure.  Fortunately, the account password isn’t requested until the 3rd party service’s secured page.

Logjam (95% pass rate)

Information about the latest vulnerability, the Logjam attack was published last month (May 20, 2015).  I wanted to highlight those results specifically in this project.

There was one server that didn’t pass the WeakDH.org server test.  The Park Bank Personal Credit Card service from First Bankcard got the warning about using a common 1024-bit DH prime.  I thought about adding a “Warning” type to Pass/Fail, but decided that anything that wasn’t a pass was a failure.

“Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.”

Things I’d never seen before

In interesting report to look at is the one for Park Bank Merchant Card Processing.  It was the first time I saw the notification “This site is intolerant to newer protocol versions, which might cause connection failures.”

It also only allows for one cipher suite TLS_RSA_WITH_AES_256_CBC_SHA (0x35).  The fewest I had seen before was 3.

The other result I hadn’t encountered was “Assessment failed: Cipher suite support test failed” which occurred on the Points2U test.

Why so many C’s?

If many of you are familiar with these types of analyses, you will notice many more “C” grades than before.  SSL Labs, since the 5/20/15 1.17.10 version release, is penalizing the RC4 cipher when used with TLS 1.1+ more now and not supporting TLS 1.2 caps the grade to a C from a B previously.  Full information on the ratings is available here (PDF).

Date performed: 6/2/15

Sites tested: 24

Data sources

Tools

Similar posts and analysis

Tangential articles (coming soon)

  • Fiserv
  • Wisconsin Department of Financial Institutions

How to: Secure Chrome against Logjam

Update: Chrome 45 was released on 9/1/15 with a fix for the “logjam” vulnerability.  Use Chrome 45 or newer

Disable the following cipher suites

  • (0xcc15) TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • (0xcc9e) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • (0x0039) TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • (0x0033) TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Until the Chrome 45 update, the easiest by far is to

Step 1:
Modify an existing (or create) a shortcut to Chrome.  Right click on the shortcut and select Properties

Step 2:
Add the following to the application Target:

It should look like this:
(Note: Target field is long and is split into two screenshots)

20150530-secure-chrome-logjam-step2-1

20150530-secure-chrome-logjam-step2

Step 3:
Click Apply or OK to save

Step 4:
Close all Chrome browser windows

Step 5:
Use the shortcut you just modified to re-open Chrome and verify these cipher suites have been disabled

Quick: https://weakdh.org/

20150605-secure-chrome-logjam-weakdh.org-step5

Detailed: https://www.ssllabs.com/ssltest/viewMyClient.html

(h/t) @eckes on twitter: https://twitter.com/eckes/status/604090760032559104

 

Reference

The fix is “on track to be included in Chrome 45”

 

Downloads

I zipped the Logjam safe shortcut from this tutorial.

If you used the standard installer your application path is %UserProfile%\AppData\Local\Google\Chrome\Application\chrome.exe

Download “Windows Default 32-bit Chrome (Logjam Safe) Shortcut” Google-Chrome-Logjam-Safe.zip – Downloaded 76 times – 1 KB

Google Chrome (Logjam Safe).lnk

  • MD5: 32D2342D138B66A3F458D66842038CA5
  • SHA1: CAB26DCFEF880D5D7422633A2732770CB6B0BB17

If you used the “offline installer” Chrome installs to “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

Download “"Program Files (x86)" 32-bit Chrome (Logjam Safe) Shortcut” Chrome (Logjam Safe).lnk.zip – Downloaded 69 times – 1 KB

Chrome (Logjam Safe).lnk

  • MD5: C689CABE8887CD8187CAAFA395DBCF2B
  • SHA1: EE2E1D54BA3DF586406BB13CA3E35E41A130745B

Original content and screenshots on this page are licensed under a Creative Commons Attribution 3.0 License (http://creativecommons.org/licenses/by/3.0/us/)

How to: Secure Firefox against Logjam

Update: Firefox 39 was released on 7/2/15 with a fix for the logjam vulnerability (advisory on “logjam”). Use Firefox 39 or newer

Disable the following:

  • security.ssl3.dhe_rsa_aes_128_sha
  • security.ssl3.dhe_rsa_aes_256_sha

following are step by step instructions

How to: Secure Firefox against Logjam (until Firefox 39 is released)

Step 1:
Type “about:config” in the navigation bar

20150530-secure-firefox-logjam-step1

 

Step 2:
Continue through the warning screen by clicking “I’ll be careful, I promise!”

20150530-secure-firefox-logjam-step2

 

Step 3:
Search for “ssl3”

20150530-secure-firefox-logjam-step3

 

Step 4:
Disable the following (by double clicking or right clicking then “Toggle”)  Changes are saved automatically

  • security.ssl3.dhe_rsa_aes_128_sha
  • security.ssl3.dhe_rsa_aes_256_sha

20150530-secure-firefox-logjam-step4

 

Step 5:
Verify these cipher suites have been disabled

Quick: https://weakdh.org/

Before

20150530-secure-firefox-logjam-step0

After

20150530-secure-firefox-logjam-step5

 

Detailed: https://www.ssllabs.com/ssltest/viewMyClient.html

20150530-secure-firefox-logjam-ssltest-before

20150530-secure-firefox-logjam-ssltest-after

 

(h/t) http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-logjam-attack.html

Additional Information

Mozilla released (5/22/15) an add-on that changes these settings – https://addons.mozilla.org/mk/firefox/addon/disable-dhe/

Per Mozilla – Firefox 39 will include changes that will increase the minimum strength of keys to 1024 bits.

20150530-firefox-39

 

Content from Qualys licensed under a Creative Commons Attribution 3.0 License (http://creativecommons.org/licenses/by/3.0/us/).   Arrows and Before and After tags were added to screenshots of the original content.

Original content and screenshots on this page are licensed under a Creative Commons Attribution 3.0 License (http://creativecommons.org/licenses/by/3.0/us/)

Your browser is still vulnerable to Logjam

Currently, only Internet Explorer is safe from the Logjam vulnerability.

How to: Secure Chrome against Logjam

How to: Secure Firefox against Logjam

Browser/OS Windows OS X iOS Android
IE 11 Safe
(5/20/15 CW)
Safari Vulnerable
(5/20/15 CW)
Vulnerable
(5/20/15 CW)
Chrome 43 Vulnerable
(5/25/15 SOT)
Vulnerable
(5/20/15 CW)
Vulnerable
(5/20/15 CW)
Vulnerable
(5/20/15 CW)
Firefox 38 Vulnerable
(5/30/15 SOT)
Vulnerable
(5/20/15 CW)
Vulnerable
(5/20/15 CW)
Android browser Vulnerable
(5/20/15 CW)

This article builds upon the information in the Computerworld (CW) article published 5/20/15

Test your client (browser):

Patches / Safe Versions

5/12/15 – Microsoft patched IE 11 see MS15-055

5/22/15 – Mozilla released the “Disable DHE” add-on that “disables ephemeral Diffie-Hellman cipher suites that are vulnerable to the logjam attack” for Firefox versions 20.0 – 38.*

 

SOT Testing

5/25/15 – Firefox 38.0.1

20150525-firefox-38-0-1-up-to-date

20150525-ssllabs.com-ssl-client-test-logjam-firefox-38-vulnerable

2015052-ssllabs.com-manual-tetst-firefox-38-vulnerable

5/30/15 – Firefox 38.0.1 no updated release – still vulnerable

Additional information

Schannel – Secure Channel

The Logjam Attack

Last updated: 12/15/15

Official website

https://weakdh.org/

Twitter hashtags

Vulnerability testing tools

Test your browser (client):

Test your server:

 

Vulnerable browser results

If your browser is vulnerable you will see:

weakdh.org Vulnerable web browser example

20150524-weakdh.org-vulnerable-browser
weakdh.org: Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser.

 

Qualys SSL Labs client test Vulnerable user agent example

20150524-ssllabs.com-ssl-client-test-logjam-vulnerability
ssllabs.com: Your user agent is vulnerable. Upgrade as soon as possible.

 

Qualys SSL Labs manual Logjam Vulnerability test Vulnerable example

20150524-ssllabs.com-vulnerable-user-agent
ssllabs.com: Your user agent is vulnerable to the Logjam attack

 

Vulnerable server results

If the server tested is vulnerable you will see:

weakdh.org Vulnerable server – uses a commonly-shared 1024-bit Diffie-Hellman group

20150524-weakdh.org-vulnerable-server
weakdh.org: Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.

 

Safe client results

If your browser is safe you will see:

weakdh.org Safe web browser

20150530-secure-firefox-logjam-step5
Good News! Your browser is safe against the Logjam attack.

 

Safe server results

Two examples of safe server results below:

weakdh.org Safe – uses 2048-bit Diffie-Hellman group

20150524-weakdh.org-safe-server
weakdh.org: Good News! This site uses strong (2048-bit or better) key exchange parameters and is safe from the Logjam attack.

 

weakdh.org Safe – does not use DHE

20150524-weakdh.org-whitehouse.gov-safe-server
weakdh.org: Good News! This site is safe from the Logjam attack. It supports ECDHE and does not use DHE.

 

Secure your browser and server

 

Logjam timeline

Upcoming

Interesting reads

 

Additional information

Terms (in order of appearance):

  • DHE – Ephemeral Diffie-Hellman (also commonly referred to as EDH)
  • ECDHE – Elliptic Curve Ephemeral Diffie-Hellman

Content licensing

Content from Qualys licensed under a Creative Commons Attribution 3.0 License (http://creativecommons.org/licenses/by/3.0/us/).  No changes were made to the original content.


Creating this post

Jing was used for screenshots and WP Smush was used to remove PNG metadata.