How to Tell If Your Cloud Vendor is Bull*#$!-ing You About Security, Part 1: SSL
Last week Apple released an emergency security patch for iOS devices that addressed an implementation issue in their use of Secure Sockets Layer (SSL). Basically the flaw allowed an attacker to masquerade as any secure site (such as Google, Amazon, or <insert your favorite financial site here>) to any iOS device. Turned out that the flaw also extended to other Apple clients like Mac OS X users to which Apple is creating a fix for as you’re reading this.
While SSL is fresh on everyone’s mind, I thought I’d start with that topic first in Part 1 of our “How to Tell If Your Cloud Vendor is Bull*#$!-ing You About Security” series.
What is SSL?
SSL stands for Secure Sockets Layer. It’s the standard technology that most Web sites use today to establish an encrypted link between themselves and their customer’s, often through Web browsers. So each time you purchase something online, bank online or access your email, typically this is done over an encrypted SSL link. It’s this link that helps protect your private data (like passwords and credit card numbers) as it’s transmitted from your system across the Internet. For the regulated folks (HIPAA, PCI, etc.) read this article, SSL is commonly used to address “data protection in-transit” and “data integrity in transit” requirements.
SSL like any technology, there is a wrong-way to implement it and a right way to implement it. Cloud vendors often tout their use of SSL as validation that their service is “secure” and worthy of your trust. We respectfully disagree, and think that a $50/year SSL certificate alone is not the security silver-bullet that people often make it out to be. To protect data today, you need to implement a series of controls like sound application security development practices, policies and great training working together.
But if someone is going to play that game with you, here’s how you can check their use of SSL.
Your Free SSL Bull*#$! Detector
There’s a free service from a pretty well-known security company named Qualys called the SSL Server Test. The SSL Server Test service lets you punch in a Web server address and it’ll run it through a series of SSL security tests and point what that server is doing correctly and what it’s not doing correctly. To use the SSL Server Test:
- Go to https://www.ssllabs.com/ssltest/.
- Type in the Web server you want to test (i.e. www.your-vendors-service-address.com).
- Check the “Do not show results on the boards” option (this is optional — it just controls whether results will be made public or not).
- Press the Submit button.
When SSL Server Test is done, it’ll provide a rating for the site and a list of checks it performed and the results. A rating of A+ is really not that hard to achieve (feel free to ask us how), so anything less is a red-flag in our opinion.
The SSL Server Test is very well known amongst IT and security pros. And now you have it in your security arsenal as well. Thanks for reading and see you next Friday,