1 – QED – Weak Encryption – Outside the stack

What is Weak Encryption?

In the ongoing war between hackers and the rest of us, most of us to find it hard to even understand the vulnerabilities, much less to keep up with the changes needed!

Weak Versions

SSL 2.0 / SSL 3.0 as well as TLS 1.0 and TLS 1.1 are considered weak due to a series of vulnerabilities (e.g., POODLE attack) that allow attackers to decrypt encrypted traffic. Some versions use a flawed padding scheme which can be exploited.

RC4 Stream Cipher

Once popular for its simplicity and speed, RC4 has multiple vulnerabilities that make it susceptible to attacks such as the Invariance Weakness and biases in the RC4 keystream. These vulnerabilities can be exploited to gradually reveal the plaintext from the ciphertext.

Weak Symmetric Key Algorithms

DES and Triple DES are symmetric-key algorithms which use keys which are considered too short to be secure. DES can be broken in a matter of hours with modern hardware, using brute-force attacks.

Weak Hashing Algorithms

Both MD5 and SHA-1 are hashing algorithms that have been found vulnerable to collision attacks, where two different inputs produce the same output hash. This weakness can be exploited in certificate forgery and other attacks. SHA-1, in particular, has been officially deprecated for security uses by many organizations.

Compliance: PCI

But the problem is that PCI, HIPAA and security auditors (rightfully!) want your organization to keep up with these changes!

But How to Comply?

What are the issues that large enterprises face when migrating to stronger versions of the TLS protocol? Click here to see? Do you recognize your own situation here?