December 15, 2015 By David Strom 3 min read

Since the Heartbleed vulnerability of 2014, more IT managers have been concerned about the integrity of their SSL encryption, TLS services and associated supporting code libraries. And while most SSL technology vendors have patched their servers since then, there are still many ways to take advantage of this encryption protocol that you should be aware of. A new series of free SSL server tests from High-Tech Bridge can help highlight any problems and potentially show you what is going on with how you encrypt your Internet traffic.

The tests claim to take into account the Payment Card Industry (PCI) and National Institute of Standards and Technology (NIST) guidelines and evaluate SSL servers based on their compliance. The scoring process is very transparent and clearly shown on the website. This isn’t the only SSL/TLS test tool; OWASP has a list of numerous others, including commercial tools from Qualys and Tenable. But High-Tech Bridge’s focus is a good starting place for enterprise security managers.

SSL Encryption Tests Lead to Insight, Right?

The one issue that I have with the High-Tech tests may be that they provide too much information. When I ran the evaluations on my own server, I was overwhelmed with data and wasn’t quite sure what I should actually do to remediate the various issues, given that I depend on service providers to host my accounts.

Included in the results are details about where your SSL cert was purchased, the size of the Diffie–Hellman encryption key, what versions of TLS security protocols are supported and whether the certificate is an extended validation. These are all technical terms that will require further study if they aren’t familiar — and that is partly the point of the tests. If you aren’t an SSL specialist, they might motivate you to learn more about the SSL encryption strength you are using to protect your network and application infrastructure.

To illustrate what the High-Tech tool can do, it demonstrates how vulnerable Web-based email services can be with a blog post that rates several providers. With these results, you can begin to see some real-world applications of SSL encryption and understand the true impact of a grade. The email tests ranged from a top score for FastMail to an initial failing grade for Hushmail.

I have been a Hushmail user for more than a decade and was surprised by the low score since I thought it was one of the more solid encrypted email providers. But it turns out Hush was using older SSL encryption practices, and its low score motivated it to make some changes.

When I spoke to Hush CTO Brian Smith, he told me the company was using 1024-bit Diffie–Hellman keys rather than the 2048-bit keys that are now more common. (Stack Exchange has an interesting discussion thread on the subject if you would like to learn more.) Hush also had not set one of its configurations of Nginx, the Linux servers used for its product, at the most appropriate levels. When the organization made these two changes, its grade improved.

What We Can Learn

Smith said that the High-Tech Bridge exercise “wasn’t about getting a good grade, but to make things as secure as possible for our customers. It made us look more carefully at these various configuration items. While our customers weren’t exposed to any risk, it gave us an incentive to accelerate upgrading our various processes and made it easy for us to make changes to our systems.”

Still, he was glad that the free SSL encryption tests are available. “These tests are a great way for people to quickly get some perspective on the state of their website and SSL encryption,” he said. “There are still a lot of issues surrounding email encryption that need further study.”

What the email grades drove home for me was that many Web-based applications depend on both the client and server pieces to deliver the best security possible. You have to look for weaknesses in both elements if you are going to do the best possible job patching problems. If you look over the SSL email test results, you can see that the grades depend on the particular email client used to connect to the email service provider; some clients implement SSL encryption more securely than others

Part of the issue for IT managers is that finding the email client portfolio used across your enterprise isn’t very easy. Unlike looking at your website log files, where you can immediately see the browser agent numbers and other data, getting data on your email client will take more effort and require you to examine both received and sent message headers, among other information.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today