Learn things? DROWN HTTPS flaw proves we don't even test things In the wake of the DROWN vulnerability, organisations like the Australian Signals Directorate that offer security incident mitigation strategies might consider adding another item to their lists: test your configuration to make sure it's what you expected. The DROWN flaw in HTTPS would not be anything to worry about, except …
test your configuration to make sure it's what you expected
What is this supposed to mean? I take it to mean "configuration was correctly distributed and applied". Cf. the recent Google router misconfiguration.
What are "post-configuration tests"?
The only thing I can think of is: do you regularly run penetration testing on your equipment? The whole point of penetration testing is that it is external and ignorant of configuration. Run it and expect the unexpected.
Are enough people running enough penetration tests? Certainly not. This isn't helped by the legal situation: in some countries penetration testing may involve technically illegal activities.
Agree, however, PEN testing isn't going to find the as yet unknown exploits (otherwise DROWN would of been news years back); if done well it will confirm that your systems were secure against known exploits at a particular point in time - just like the UK MOT test.
So PEN testing is a bit like AV, protection against known exploits with limited protection against new exploits. Hence just like AV, it needs regular updates and periodic scans.
The world needs more hackers, if you aren't hacking, you won't know if the SSL Labs approved configuration is safe. Everything that is tested is insecure because the tests are mostly broken or are missing prognostication abilities (not been invented yet).
The people suggesting that testing will fix things don't even have the tests that will prove their premise.
> Even if it breaks too many connections that aren't capable of upgrading?
Yes, definitely.
In general, TLS evolves reactively as attacks are discovered and demonstrated (and then patched), so a connection that is a candidate for upgrade is likely to be exploitable by known means.
> https://www.ssllabs.com/ssltest/
That's exactly what I came here to say. You said it first and better.
But at least I get to linkify¹ the URL. :-)
¹ Yes, I have verbified a noun. Twice.
Re: the stock photo thumbnail that you used in the sidebar link for this story.
Please. Stop. It's not the 1990s any more. Ones and zeroes projected all over someone's face to represent a "hacker"- alongside a tunnel made of glowy digits to represent cyberspace- is one of those things you'd have expected to have died out so long ago (circa the early noughties) as being so utterly overused and cliched that it'd be due for an ironic comeback about now.
But it's not even cool in a Hackers-looks-even-more-ludicrously-cheesy-now-than-it-did-in-the-mid-90s way, because it's never bloody gone away. It's just boring. It's like one of those songs that's been so over-exposed and never allowed to rest that it'll never sound fresh again- they could stop playing it tomorrow, and even if you never heard it again for another 60 years it'd still come across as overplayed nothingness when the first note hit.
If any real-life Hackers are reading this, please break into some stock photo libraries via your 28.8 bps modem and- carefully navigating their full-3D-cyberspace interface- delete all these bloody photos from existence forever.
Thank you!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
