Security assessment of a legacy SSL/TLS implementtaion on an IoT device

I am doing a security aseesmment on communication security of a legacy IoT Device. So basically objective is to assess and find security gaps in curreny design/implementation. The mode of assessment is manual, primarily with the reference of existing design and code. This is only client side at device; while server is a cloud based server. The device is using a GSM module (SIMCom SIM900) and makes HTTPS communication to server over internet using GSM AT commands.

Based on my understanding on SSL/TLS, I am considering below parameters or criterias for this assessment:

a. TLS portocol version

b. Cipher suites used

c. certificate and key management

d. Root CAs installed on device

e. Embedded PKI aspect for device identity management

f. Hardware crypto aspect (SHE/TPM)

Am I doing it in a right way? Though I think above list of parameters are not specific to Device HW/SW platform; rather generic. but I guess that’s how it should be! I mean parameter list will be pretty much same; however actual assessment on these will depend on security requirements and other aspects like device footprint & its platform etc.

Is the assessment parameter list I am considering is good and adequate? I would appreciate your inputs to validate/correct my approach.

Addressing SSL/TLS vulnerabilities in IoT Device client side implementation

I understand SSL/TLS is the most commonly data transmission protocol for a secured communication. I need to implement the same in one of the IoT device (ARM® Cortex®-M4 Core at 80 MHz). This will be TLS Client implementation.

Since the device is a small scale device, I am looking for a light weight SSL Library (bearSSL, mbedSSL, ..) to use.

Device needs to store as well as transmit data to server; and I need to ensure a secured communication with data confidentiality and integrity; avoiding any possible attack (MITM,..).

However as I got to read, there are vulnerabilities/pitfalls in SSL/TLS also, does just using a right library will ensure addressing them? Or there are specific things I need to do in my code implementation to address them?

Like right ciphersuite selection; generating and securely storing the keys (key management); …

request for some insight into this.

Is Certification path construction algorithm needed for SSL/TLS?

In the TLS Handshake a Certificate message is sent. This message contains the (chain of) certificates needed to validate the provided certificate of the communicating party.

However, I have also read some papers, and also defined in RFC5280, that the certification path process is challenging; and, an algorithm is needed to actually do the path construction.

This confused me, since during the TLS Handshake the chain of trust is provided in the Certificate message. Therefore I was wondering: Is a Certification path algorithm also needed in the TLS protocol?

  • If so, why is it needed? As far that I know, the Certificate message sends all the certificates in the chain of trust.
  • If not, is it true then that the Certificate message does not (always) provide all the certificates in the chain? Or maybe, does the certification path algorithm not apply at all for SSL/TLS; but for what kind of protocols is it needed then?

How secure is SSL/TLS, explained in laymans terms?

While trying to answer this question it occurred to me that while there’s many good answers about the strengths and weaknesses of SSL/TLS in terms a security professional or software developer can understand, there’s not many good responses that a layman might be able to properly understand.

For instance, we describe some variants of TLS/SSL as “insecure”, which in the security world has a somewhat specialized meaning that might be summarized as “There’s some known vulnerabilities that significantly degrade the security, and you should likely disable this variant on your servers.”. A layman might interpret “insecure” as “simple to exploit”, which isn’t necessarily true.

So can someone provide a good layman’s explanation as to the current security level offered by SSL/TLS? The answer should include the resources of the attacker, the effort, resources, and access involved, and (possibly) the cost.

The answer might also include other ways to achieve the same goal without attacking SSL/TLS, and risks we all take for granted every day. (My credit card, for instance, was compromised and used for fraud last year when Newegg got hacked)

WP Mail SMTP: What do the SSL/TLS options mean?

When setting up the WPForms WP Mail SMTP plugin, I got this choice:


Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.

What do those options mean? Do they mean (like in normal conversation):

  • SSL = SSLv3
  • TLS = at least TLS 1.0

or do they mean (like in Outlook and some other mail clients):

  • SSL = TLS

I was assuming the latter, because that is really common with mail stuff.

But if that is the case, why would the plugin recommend to prefer “TLS” (STARTTLS, which is insecure) to “SSL” (TLS, which is safe)?

SSL/TLS Extended Validation implemented in fraudulent domains

People trust green bars, because it is proven to not to be of malicious origin.

This seems to be the questions of hundreds and many are concerned about it, picture that; a team of fraudsters(or at least one), promote their website to many people with the use of Facebook and Twitter advertising who can be easily set up in no time. (1).

The fraudulent websites created a site, looking real etc.. and as already said they have an EV certificate verified implemented. In what ways could such thing be successfully be done, how do certificate distributors verify who that who is(if it can be faked)? (2).

Is it safe to use RPC with sensitive data through an encrypted VPN connection instead of SSL/TLS?

I have an application where there I’m planning the following setup:

user  <-----------------> layer 1 server <------------------> backend server         internet (https)                    RPC through VPN 

So when a user makes a request, it goes through standard SSL/TLS to the layer 1 server, then that has a program that calls a software in another location through the internet, which is connected to the layer 1 server through an OpenVPN connection.

To simplify the design of my application, I’d prefer that the RPC connection is without SSL/TLS. I’m thinking of that VPN connection as a replacement to the security requirements of a TLS encrypted connection. Does this provide the same security level?

The RPC sends user/password data to the server, which it just forwards to the backend server after wrapping it with some other objects.

What are the expected drawbacks from such a design?