Since the Heartbleed vulnerability of 2014, more IT managers have been concerned about the integrity of their SSL encryption, TLS services and associated supporting code libraries. And while most SSL technology vendors have patched their servers since then, there are still many ways to take advantage of this encryption protocol that you should be aware of. A new series of free SSL server tests from High-Tech Bridge can help highlight any problems and potentially show you what is going on with how you encrypt your Internet traffic.
The tests claim to take into account the Payment Card Industry (PCI) and National Institute of Standards and Technology (NIST) guidelines and evaluate SSL servers based on their compliance. The scoring process is very transparent and clearly shown on the website. This isn’t the only SSL/TLS test tool; OWASP has a list of numerous others, including commercial tools from Qualys and Tenable. But High-Tech Bridge’s focus is a good starting place for enterprise security managers.
SSL Encryption Tests Lead to Insight, Right?
The one issue that I have with the High-Tech tests may be that they provide too much information. When I ran the evaluations on my own server, I was overwhelmed with data and wasn’t quite sure what I should actually do to remediate the various issues, given that I depend on service providers to host my accounts.
Included in the results are details about where your SSL cert was purchased, the size of the Diffie–Hellman encryption key, what versions of TLS security protocols are supported and whether the certificate is an extended validation. These are all technical terms that will require further study if they aren’t familiar — and that is partly the point of the tests. If you aren’t an SSL specialist, they might motivate you to learn more about the SSL encryption strength you are using to protect your network and application infrastructure.
To illustrate what the High-Tech tool can do, it demonstrates how vulnerable Web-based email services can be with a blog post that rates several providers. With these results, you can begin to see some real-world applications of SSL encryption and understand the true impact of a grade. The email tests ranged from a top score for FastMail to an initial failing grade for Hushmail.
I have been a Hushmail user for more than a decade and was surprised by the low score since I thought it was one of the more solid encrypted email providers. But it turns out Hush was using older SSL encryption practices, and its low score motivated it to make some changes.
When I spoke to Hush CTO Brian Smith, he told me the company was using 1024-bit Diffie–Hellman keys rather than the 2048-bit keys that are now more common. (Stack Exchange has an interesting discussion thread on the subject if you would like to learn more.) Hush also had not set one of its configurations of Nginx, the Linux servers used for its product, at the most appropriate levels. When the organization made these two changes, its grade improved.
What We Can Learn
Smith said that the High-Tech Bridge exercise “wasn’t about getting a good grade, but to make things as secure as possible for our customers. It made us look more carefully at these various configuration items. While our customers weren’t exposed to any risk, it gave us an incentive to accelerate upgrading our various processes and made it easy for us to make changes to our systems.”
Still, he was glad that the free SSL encryption tests are available. “These tests are a great way for people to quickly get some perspective on the state of their website and SSL encryption,” he said. “There are still a lot of issues surrounding email encryption that need further study.”
What the email grades drove home for me was that many Web-based applications depend on both the client and server pieces to deliver the best security possible. You have to look for weaknesses in both elements if you are going to do the best possible job patching problems. If you look over the SSL email test results, you can see that the grades depend on the particular email client used to connect to the email service provider; some clients implement SSL encryption more securely than others
Part of the issue for IT managers is that finding the email client portfolio used across your enterprise isn’t very easy. Unlike looking at your website log files, where you can immediately see the browser agent numbers and other data, getting data on your email client will take more effort and require you to examine both received and sent message headers, among other information.