IBM Cloud turns TLS 1.0 off and then turns it on again IBM has turned known-to-be-insecure TLS 1.0 back on in its cloud. IBM only turned TLS 1.0 off on Tuesday, citing the usual and sound reasons that the encryption protocol is old and weak. But the company appears to have botched the job of telling users about the change, as an email sent to Bluemix customers and received by The …
I wouldn't be surprised if it was an outsourced customer hosted by IBM. The guy responsible will have been replaced by someone with dozens of certifications but no experience and will be paid peanuts to work in the middle of the night.
As for agility, how difficult is it to change:
TLS_1.0=True
to
TLS_1.0=False
??
Who is still using that ? Fire whoever has not moved to 1.2 already, please ... make this Intertubes a safe place, please ...
Cloud means all your data, Feynman, if you go cloud, YOU MUST MAKE 100% SURE YOU USE LATEST TECH, that is the WHOLE BLOODY POINT OF CLOUD, right ?
Companies put crown jewels on a shared server, handy, for everyone to peak at because they use obsolete crypto, not so handy ...
Lotsa folks. Even cybersource who is a credit card processor isn't turning tls 1.0 off in production until feb 2018.(which is pretty close to the limit for pci I believe )
I just went through disabling tls 1.0 on a few production services for pci not long ago. Ran into issues immediately and had to turn it back on in a few cases, fortunately none of those cases impact pci for us.
Though i have yet to see a serious threat against 1.0. Sure it is not as strong as 1.1 and 1.2 but the press make it out to being completely cracked which last I heard was far from the case.
I really dislike how this works though. Services should be able to accept tls 1.0 in order to give a human readable error. Getting a low level ssl error is almost always a pain to diagnose(even for technical users like myself). The ciphers are even more confusing. Seems everyone has different varitions on names for the same ciphers. Had to spend a bunch of time experimenting with ssllabs testing and retesting until I found a cipher setup that was rated right.
A big chunk of the issue is it's very difficult to determine what clients are actually connecting with. For me most of my SSL is terminated on Netscalers and there is no logging of that stuff. Even with apache last I recall you had to enable debug mode to get that info. It wasn't available as a logging option for access log. And a webserver is pretty basic imagine all of the more complex apps and clients that speak different protocols.
Jeff Smith must be to blame. Fire him! Fire him now! Oh wait, he already resigned.
Jeff Smith was an AWS fanboy before he went to IBM..... "Smith was instrumental in driving Suncorp’s agile software development culture, a long systems consolidation and simplification program, and more recently its decision to move 2000 applications to the Amazon Web Services cloud and consolidate data warehouses into a single data store for analysis." https://www.itnews.com.au/news/jeff-smith-quits-suncorp-for-ibm-388062
PCI is partly to blame for this as they've allowed TLS1.0 until June 2018
https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
Means there's no strict reason to shut down TLS1.0 now, so many companies put it off. As a result there's a stack of web services out there that call using TLS1.0 which need core upgrades to use TLS1.2.
But part of the reason that PCI allowed TLS1.0 until then is the acceptance that there is still a massive amount of legacy code out there which requires TLS1.0 and that it will take time to migrate.
Unfortunately, as you say, until the deadline has already passed, certain companies will feel no urgency about changing things.
We actually had to back down our security on an environment recently, as we were connecting to an ATOS Web service which would only negotiate using TLS1.0 and RC4 cyphers. If the likes of ATOS won't get off their bottoms and update things, how can anyone else?
If the likes of ATOS won't get off their bottoms and update things, how can anyone else?
Hm, you know, I guess next time when you need services, you will stay clear of ATOS, then, right ? If not, they have ABSOLUTELY NO INCENTIVE to get their act together. Also, tell them why you will choose another next time around. Stay clear of Accenture, though, they are even worse ... just my $0.02.
I guess next time when you need services, you will stay clear of ATOS, then, right ?
Yeah, like it's that simple.
The client, for whom we are providing our own software and services, have a relationship with ATOS, who provide them services, and we are tasked to provide an interface between ATOS and the client.
It's not really sound business practice to go to the client and say, sorry, but we won't fulfill you 6-figure contract, because ATOS want to use TLS1.0.
First rule of internetty stuff: Be prepared to back out changes. Fast.
So I'm not convinced IBM were totally clueless in all this. You make a big change that affects customers, requiring them to upgrade and/or reconfigure stuff, you expect there may be problems so have a plan to revert.
Furthermore, if I were doing something like this, I'd bet there was going to be at least one major player who was going to be caught with underwear around the ankles. Guaranteed. So my message to the PHBs would be that this change is going to be more of a kick in the arse to make sure people are really aware of the problem and do something about it.
Of course, such a stance is indistinguishable (from an outside perspective) from sheer incompetence. So I remain unconvinced either way. Maybe IBM fucked up, maybe they played it smart.
I take it, IBM implemented the change on dev, then on test, then on production. I assume, and I know I am difficult to please, that IBM cloud have different environments for each and every customer where changes can be implemented, tested, then used in the production.
If IBM really just removed TLS 1.0 on production without first doing so on dev and test, then I guess IBM have a serious problem. If IBM do not impose dev, test, and production environments on their customers, what are they waiting for ?
Amateurs, a bunch of amateurs ... BTW, Big Blue, I think I am qualified for a CTO position at yours, interested ? Send me an offer!
+Hans 1
Sure they could turn off TLS 1.0 on dev and test. I assume they did, but whether they did or not does not affect the outcome.
The only way they could offer realistic test conditions to customers is to duplicate the production servers with all the customer data/configurations and then replicate the traffic received by production servers onto the test servers. How they check the results of that is a little problematic. Well, with some form of NAT they could possibly push the results onto an army of mechanical turks who could check what was requested against what was received, although the actual technology required would have to be far more complicated than that, and difficult to get right or prove that you have got it right.
The only realistic way you can test if customers have made the changes you've been telling them for months that they have to make is flipping the switch and seeing who complains. But I might be wrong about that, if so I eagerly await your elegant solution.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
