On the importance of SSL – a review

Every Web Application Penetration Test (WAPT) kickoff call usually starts with a brief discussion of why the client has hired us to perform this WAPT. Typical answers include:

• “Well, our application is mission critical and we want to test the security of it”¦”
• “We store a lot of personal information on this web application and we want to make sure ‘hackers’ cannot access the data”¦”
• “There was a security breach and we want to prevent other incidents from happening”¦”

Most of the time, clients are spot on regarding the importance of their web applications. And with their business goals in mind, we go through our comprehensive WAPT methodology and usually end up tearing their web app apart. But the part that troubles me most is when I see these apps aren’t covered by even the most basic protective mechanisms, such as SSL. If you need a review of SSL go here.

In general, SSL provides you with confidentiality, end point authentication, and message integrity. That’s a pretty big point to miss with these ‘mission critical’ apps. Just consider some vulnerabilities you’ll face if you don’t bother using SSL:

• Eavesdropping – Sure show the world your cookies, login credentials (BTW, what are the chances that your super strong username/password combo are used elsewhere?), etc.
• Man in the Middle attacks – all too easy and you can’t even verify the authenticity of the server you’re supposed to be connected to.

Anyway, the point is that adding SSL to your app is ridiculously easy and every app should be covered by it – on all pages, not just use it for authentication (which unfortunately, I’ve also seen plenty of times). Oh, and make sure your SSL cert is valid (signed by a trusted CA, not expired, and not on a CRL); use strong ciphers; and use SSLv3.

Here’s an interesting SSL related exercise for the reader – find the SSL lock icon on Myspace.

Hint #1:
From myspace (http://www.myspace.com/index.cfm?fuseaction=misc.privacy):

“Security
MySpace.com member accounts are secured by member-created passwords. MySpace.com takes precautions to insure that member account information is kept private. We use reasonable measures to protect member information that is stored within our database, and we restrict access to member information to those employees who need access to perform their job functions, such as our customer service personnel and technical staff. Please note that we cannot guarantee the security of member account information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of member information at any time For any additional information about the security measures we use on MySpace.com, please contact us a privacymyspacecom  (privacymyspacecom)   “

My take:
This sentence reads well and gives me warm fuzzies: “MySpace.com takes precautions to insure that member account information is kept private.” But where’s the SSL? Now, how many *millions* of users are now vulnerable to the aforementioned vulns? Don’t get me wrong, a malicious user doesn’t care about your myspace.com page. I’m sure it “teh sucks” and your profile is “teh fail” (to quote a buddy at Foundstone, Brad Antoniewicz). They’re after your credentials & betting big on password reuse. Stop for a moment and think about your own work, Ebay, email, bank, etc accounts. Are you reusing your credentials anywhere?

I bet most of you are. After all that’s just human tendency…