I am doing a security aseesmment on communication security of a legacy IoT Device. So basically objective is to assess and find security gaps in curreny design/implementation. The mode of assessment is manual, primarily with the reference of existing design and code. This is only client side at device; while server is a cloud based server. The device is using a GSM module (SIMCom SIM900) and makes HTTPS communication to server over internet using GSM AT commands.
Based on my understanding on SSL/TLS, I am considering below parameters or criterias for this assessment:
a. TLS portocol version
b. Cipher suites used
c. certificate and key management
d. Root CAs installed on device
e. Embedded PKI aspect for device identity management
f. Hardware crypto aspect (SHE/TPM)
Am I doing it in a right way? Though I think above list of parameters are not specific to Device HW/SW platform; rather generic. but I guess that’s how it should be! I mean parameter list will be pretty much same; however actual assessment on these will depend on security requirements and other aspects like device footprint & its platform etc.
Is the assessment parameter list I am considering is good and adequate? I would appreciate your inputs to validate/correct my approach.
I understand SSL/TLS is the most commonly data transmission protocol for a secured communication. I need to implement the same in one of the IoT device (ARM® Cortex®-M4 Core at 80 MHz). This will be TLS Client implementation.
Since the device is a small scale device, I am looking for a light weight SSL Library (bearSSL, mbedSSL, ..) to use.
Device needs to store as well as transmit data to server; and I need to ensure a secured communication with data confidentiality and integrity; avoiding any possible attack (MITM,..).
However as I got to read, there are vulnerabilities/pitfalls in SSL/TLS also, does just using a right library will ensure addressing them? Or there are specific things I need to do in my code implementation to address them?
Like right ciphersuite selection; generating and securely storing the keys (key management); …
request for some insight into this.
I am debugging my Windows app which has SSL/TLS pinning, and i want to bypass/remove it so i can debug the endpoints. How could I get the CLIENT_HANDSHAKE that the app uses?
I can definitely patch the app but not the code because it would make the app vulnerable. So how could I do this?
In the TLS Handshake a
Certificate message is sent. This message contains the (chain of) certificates needed to validate the provided certificate of the communicating party.
However, I have also read some papers, and also defined in RFC5280, that the certification path process is challenging; and, an algorithm is needed to actually do the path construction.
This confused me, since during the TLS Handshake the chain of trust is provided in the
Certificate message. Therefore I was wondering: Is a Certification path algorithm also needed in the TLS protocol?
- If so, why is it needed? As far that I know, the
Certificate message sends all the certificates in the chain of trust.
- If not, is it true then that the
Certificate message does not (always) provide all the certificates in the chain? Or maybe, does the certification path algorithm not apply at all for SSL/TLS; but for what kind of protocols is it needed then?
While trying to answer this question it occurred to me that while there’s many good answers about the strengths and weaknesses of SSL/TLS in terms a security professional or software developer can understand, there’s not many good responses that a layman might be able to properly understand.
For instance, we describe some variants of TLS/SSL as “insecure”, which in the security world has a somewhat specialized meaning that might be summarized as “There’s some known vulnerabilities that significantly degrade the security, and you should likely disable this variant on your servers.”. A layman might interpret “insecure” as “simple to exploit”, which isn’t necessarily true.
So can someone provide a good layman’s explanation as to the current security level offered by SSL/TLS? The answer should include the resources of the attacker, the effort, resources, and access involved, and (possibly) the cost.
The answer might also include other ways to achieve the same goal without attacking SSL/TLS, and risks we all take for granted every day. (My credit card, for instance, was compromised and used for fraud last year when Newegg got hacked)
When setting up the WPForms WP Mail SMTP plugin, I got this choice:
Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.
What do those options mean? Do they mean (like in normal conversation):
- SSL = SSLv3
- TLS = at least TLS 1.0
or do they mean (like in Outlook and some other mail clients):
I was assuming the latter, because that is really common with mail stuff.
But if that is the case, why would the plugin recommend to prefer “TLS” (STARTTLS, which is insecure) to “SSL” (TLS, which is safe)?
People trust green bars, because it is proven to not to be of malicious origin.
This seems to be the questions of hundreds and many are concerned about it, picture that; a team of fraudsters(or at least one), promote their website to many people with the use of Facebook and Twitter advertising who can be easily set up in no time. (1).
The fraudulent websites created a site, looking real etc.. and as already said they have an EV certificate verified implemented. In what ways could such thing be successfully be done, how do certificate distributors verify who that who is(if it can be faked)? (2).
This question already has an answer here:
- Can VPN provider see my data? 2 answers
When communicating with a server using SSL/TLS via a VPN, can the VPN or ISP intercept the communication and understand the data being sent?
I have started learning android pentesting. I want to know what is ssl/tls renegotiation. On a blog written on mcafee’s website, it says that ecommerce apps use renegotiation. Can anyone tell me, how they use this process?
I have an application where there I’m planning the following setup:
user <-----------------> layer 1 server <------------------> backend server internet (https) RPC through VPN
So when a user makes a request, it goes through standard SSL/TLS to the layer 1 server, then that has a program that calls a software in another location through the internet, which is connected to the layer 1 server through an OpenVPN connection.
To simplify the design of my application, I’d prefer that the RPC connection is without SSL/TLS. I’m thinking of that VPN connection as a replacement to the security requirements of a TLS encrypted connection. Does this provide the same security level?
The RPC sends user/password data to the server, which it just forwards to the backend server after wrapping it with some other objects.
What are the expected drawbacks from such a design?