SSL, SSL - Where Art Thou SSL?

Published: 2015-07-08. Last Updated: 2015-07-08 01:54:05 UTC
by Rob VandenBrink (Version: 1)
2 comment(s)

In the security community, the deprecation of SSL has been hailed as a good thing by almost everyone.  Not only has SSL been deprecated, it's been deprecated with extreme prejudice, and with extreme rapidity.  And not just in browsers (see Johannes's story here https://isc.sans.edu/diary/19323 )

However, it's become apparent in recent weeks that while most website administrators have caught up quickly to the new reality of TLS-Only encryption in browsers, many system administrators have been caught flat-footed.

Just in the last couple of weeks, I've worked with system administrators who have had problems administering critical system infrastructure, infrastructure that uses SSL for it's HTTPS connection, and does support TLS.  While the vendors of this infrastructure will quickly point out that a firmware update to their gear will quickly solve this problem, these firmware updates have almost universally come late to the party - in a lot of cases they haven't been available until fairly recently.

Admins are often caught off-guard, not realizing that they're browser update has broken their infrastructure admin until something important happens, something that requires adding a SAN LUN, adding Fiber Channel Zones for that new pod of servers, or doing a remote power off / power on of a critical server using its remote console board.

Stuff that I have seen personally has included (Vendor names left out, sorry):

  • SAN Administration consoles from at least 3 vendors
  • Firewall and IPS admin consoles (yes, really)
  • "Big Iron" Unix remote admin board
  • Popular Server remote admin boards from several vendors

The catch-22 in this situation is that, looking at this list, all of these things are very tough to book intrusive administration for.  Scheduling a firmware update for the admin console of your SAN for instance can be a very challenging task - IT Management is likely to use terms like "Outage", "Risk", often with the word "Unacceptable" in the same sentence.  For things like your large Solaris or AIX Servers, Storage systems and so on, management is often much more comfortable NOT approving patches or updates, electing instead to isolate them to a secured vlan.  .... Or worse yet, to not patch them and NOT isolate them.

(Mind you, the golden rules of pentesting include things like "secured vlans aren't" and "air gap networks are isolated, except for that one wire or one firewall rule ..".)

What have you found that you couldn't admin because of SSL deprecation?  Was an update available?  And if so, did you kick yourself for not applying it 2 years ago, or was the paint still wet on the update?  Have you applied an update to deal with this, and found that it broke something else?

Please, share on our comment form.  And feel free to include vendor names - just because I can't doesn't limit you that way!

 

===============
Rob VandenBrink
Metafore

Keywords:
2 comment(s)

Comments

About 3/4 of the devices in our ICS environment, but it didn't really surprise me to see that.

Terry
After SSL comes TLS 1.0


Some of our security appliances only support up to TLS 1.0; and PCI DSS 3.1 is saying no to SSL 3.0 and TLS 1.0.
This is tricky.

As per requirement 2.2.3
"SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place."

Diary Archives