Keeping clients' computers safe and profitable for over 30 years | |||
Home Forms About Current Newsletter subscribe Search All Articles
Browse by Category
|
SSL Labs: Check your securityWhen we connect to banks, credit unions, online stores, our medical records, or our doctor's web interface, we expect them to maintain competent security. Often we are disappointed. Now we have a very good test, which will look at the security of our connection to our private information holders and tell us how well they are doing. I recommend you run this test on banks, hospitals or doctors who hold your medical records, investment firms, and any online company who has an account you log in to which holds private information like your credit card number. Sample Results:
Don't worry about the whole report. Just look at the summary. The above was from a major (perhaps the major) national health care provider. They are not providing a secure connection when you log into your account. If they can't do this simple thing, it is unlikely they can protect your data from hackers. Let's examine the report. Interpreting the ResultsWhat we are examining is the secure connection to their site provided when you log in to your account. This is the SSL (or TLS) connection. I wrote an article explaining how SSL works here. A supposedly secure connection is made when you see HTTPS and a padlock in the address bar. Essentially, a good secure connection will allow you and the website to communicate securely and privately even if someone is intercepting and watching all the communications. SSL Labs tests five aspects of that connection.
The most common problem is that someone inserts themselves between you and the host server, then they take your commands and resend them to the host. A good secure connection will work even if the person in-between can see everything. Even if all your communications are intercepted, examined and then passed on, they will still be secure because the person in-between will not be able to see the information.
Proper Secure connections will do 4 things:
As time has passed, weaknesses were found. Then improvements were made. Further weaknesses were found and more improvements made. So, there are many protocols, methods to negotiate a key, and encryption methods. The person who wants to break your connection, will intercept the communications and claim it doesn't know how to do the more secure protocols, trying to force the server to use some weak protocols, keys, and encryption. If they are successful, you have lost your security.
SSL Labs tests 5 things:
So, if there were a "man in the middle" between you and the Medical Center's server, as shown in the sample above, they could get the server to agree on a sub-optimal protocol, a short key, and a weak method of encryption. I wouldn't want to trust my data to them.
How to run the testBe sure you go to a login page. Some companies have an insecure front page, and then move to another server for their secure login. Just go to login and copy the address.
Then paste it into the Domain Name entry field at SSL Labs test page.
What to do with the resultsI would like you to call or email any vendor you have who fails to get an A on these tests. If you score over 80, you get an A. Less than 80 is too insecure for me.
Why are so many healthcare sites using weak encryption and weak keys?After World War II, England and America felt they were ahead in cryptography. They classified encryption as a munition and restricted export. They refused to allow export of any software using keys over 40 bits. 40 bits was short enough that even in the 1970s and 1980s it could be cracked easily. In 1996 President Clinton removed software from the munitions category and placed it under the commerce department, effectively removing these restrictions. However, servers still come with these cipher suites enabled.
So why are so many healthcare records sites still allowing such insecure encryption technology to be used, when banks and e-commerce businesses refuse to and 12 years ago the NIST set a better standard? Apparently, they just don't know they need to remove these options from the servers they bought.
Supplemental MaterialI have another document with supplemental material to help you. I've included my results from many tests plus an SSL timeline and two sample emails to failing vendors. Date: August 2013
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. |
||
|