Fixing SSL servers that support weak encryption

- edited

nCircle PureCloud scans hundreds of SMB networks each month looking for vulnerabilities that could leave the network open to cyber criminal attack. In May one of the highest risk vulnerabilities PureCloud discovered was weak encryption on SSL servers. This vulnerability was discovered on 24% of all networks scanned, and it was the second highest risk vulnerability discovered.

Many people don't realize how many devices and systems include a web server. Firewalls, printers and even high end cameras often have small embedded webservers.

Often these servers are shipped with default configurations that don't even turn on SSL. If SSL is on by default, it's almost always uses weak encryption. This is problem is so insidious it even hits larger corporations with dedicated security teams. Flame exploited weak encryption last week to bite Microsoft pretty hard.

Any vendor that ships a product with an embedded web server should do us all a favor and change their default configurations. Instead of forcing users to create exceptions to support strong encryption, it should be the other way around.

The good news, if there is any, is that weak encryption is a security vulnerability that's relatively easy to fix, you just have to find all the problems. The first step is to regularly scan your whole network. Don't make the mistake of just scanning IPs you believe are in use. Scan the entire network. You might be surprised at what you find.

Anywhere you find a web server with weak encryption, fix it. Most of the time this is as easy as checking a box in a configuration menu, and most vendors have documentation that tells you how to do this.

Here are links for changing encryption levels in Microsoft and Apache products:

IIS

With Microsoft IIS, one needs to modify the registry settings located at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

You can refer to to Microsoft knowledge base articles

http://support.microsoft.com/kb/187498

http://support.microsoft.com/kb/245030

Apache

For Apache, you will need to modify the configuration file and change the SSLProtocol and SSLCipherSuite settings. For example:

SSLProtocol all 
SSLCipherSuite HIGH:MEDIUM

Examples and further discussion is available at the Apache website

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

If you've got a device with an embedded webserver that doesn't support for strong encryption, hammer on their support team. And, now that you know you have a weak spot in your network, you can take extra precautions to protect yourself.

With weak encryption, forewarned is definitely forearmed.

Everyone's Tags:

Comments

by on

I didn't even think about my printer at home...it definitely has a web server, and SSL is definitely not enabled. Add it to the honey-do list!

Permalink

by on

Honestly, when I bring this up to my web admins and server admins I am amazed at getting the pushback. They figure they are running SSL so they are better than most. It's a simple fix, just do it! It won't break anything. Don't push back, just put it into your testing and make the updates. A single checkbox or entry into configurations and you're done. It's not a difficult or time intensive change - make it happen.

Permalink

Join the Conversation

Share This Article

About Andrew Storms

Follow @st0rmz

Subscribe to the Sync RSS Feed

As nCircle's Director of Security Operations, Andrew Storms is responsible for the definition and enforcement of the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department. Andrew's commentary on IT security issues has appeared in CNBC, Forbes and The New York Times, as well as many other publications. He is a Certified Information Systems Security Professional (CISSP), a member of Infragard and a graduate of the FBI Citizens' Academy.

Popular Blogs & Forums