One of the top sites Alexa (center circle), protected by HTTPS, with subdomains (gray) and dependencies (white), among which there are vulnerable ones (hatching)

. Nowadays, the secure HTTPS connection icon has become a standard and even necessary attribute of any serious site. If the certificate is missing, almost all recent browsers show a warning that the connection to the site is “not secure” and do not recommend sending confidential information to it.

But it turns out that the presence of a “lock” in the address bar does not always guarantee protection. Check 10,000 leading sitesFrom a ranking, Alexa showed that many of them are subject to critical vulnerabilities in the SSL / TLS protocols, usually through subdomains or dependencies. According to the authors of the study, the complexity of modern web applications greatly increases the attack surface.

Research results

The study was conducted by experts from the University of Venice Ca 'Foscari (Italy) and Vienna Technical University. They will present a detailed report at the 40th IEEE Symposium on Security and Privacy, which will be held May 20-22, 2019 in San Francisco.

10,000 of the most popular HTTPS sites from the Alexa list and 90,816 related hosts were checked. Vulnerable cryptographic configurations were detected on 5574 hosts, i.e. approximately 5.5% of the total:

• 4818 vulnerable to MITM
• 733 vulnerable to full decryption of TLS
• 912 vulnerable to partial TLS decryption

898 sites are completely open for hacking, that is, they allow injection of extraneous scripts, and 977 sites download content from weakly protected pages with which an attacker can interact.

Researchers emphasize that among 898 “completely compromised” resources are online stores, financial services and other large sites. 660 of 898 sites download external scripts from vulnerable hosts: this is the main source of danger. According to the authors, the complexity of modern web applications greatly increases the attack surface.

Other problems were discovered: 10% of forms for authorization have problems with the secure transmission of information, which could lead to a password leak, 412 sites allow the interception of cookies and "session hijacking", and 543 sites are susceptible to attacks on cookie integrity (via subdomains).

The problem is that in recent years, a number of vulnerabilities have been identified in the SSL / TLS protocols and software : POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE -2013-3587) and Heartbleed (CVE-2014-0160). To protect against them, a number of settings are required on the server and client side to avoid the use of old vulnerable versions. But this is a rather non-trivial procedure, because such settings provide for the choice from an extensive set of ciphers and protocols that are difficult to understand. It is not always clear which particular sets of ciphers and protocols are considered “quite safe”.

Recommended Settings

There is no one officially approved and agreed list of recommended HTTPS settings. So, Mozilla SSL Configuration Generator offers several configuration options, depending on the level of protection required. For example, here are the recommended settings for nginx 1.14.0 server:

Modern mode

Oldest supported clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver ;
....
}

Average support

Oldest supported clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver ;
....
}

Old support

Oldest supported clients: Windows XP IE6, Java 6

server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver ;
....
}

It is recommended that you always use the full cipher suite and the latest version of OpenSSL. The cipher suite in the server settings indicates the priority in which they will be used, depending on the client settings.

Research shows that installing an HTTPS certificate is not enough. “Although we don’t process cookies like in 2005, and decent TLS has become a commonplace, it turns out that these basic things are not enough to provide security for a surprisingly large number of very popular sites,” they sayauthors of the work. For reliable protection of the channel between the server and the client, you need to carefully monitor the infrastructure from your own subdomains and third-party hosts from which the content for the site is supplied. Maybe it makes sense to order an audit from some third-party company that specializes in information security.

---

SPECIAL CONDITIONS for PKI solutions for enterprises are valid until 11.30.2019 under the promo code AL002HRFR for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.