One of the top Alexa sites (central circle) protected by HTTPS, with subdomains (gray) and dependencies (white), some of which are vulnerable (stroke fill)

Nowadays, the HTTPS secure connection icon has become a standard and even a necessary attribute of any serious site. If there is no certificate , almost all recent browsers show a warning that the connection to the site is “not secure” and does not recommend transferring confidential information to it.

But it turns out that the presence of a “lock” in the address bar does not always guarantee protection. Checking 10,000 leading websites from Alexa’s ranking has shown that many of them are exposed to the critical vulnerabilities of the SSL / TLS protocols, usually through subdomains or dependencies. According to the authors of the study, the complexity of modern web applications repeatedly increases the attack surface.

Research results

The study was conducted by experts from the University of Venice Ca 'Foscari (Italy) and Vienna Technical University. They will present a detailed report at the 40th IEEE Symposium on Security and Privacy, which will be held May 20-22, 2019 in San Francisco.
')
10,000 of the most popular HTTPS sites on the Alexa list and 90,816 related hosts were tested. Vulnerable cryptographic configurations were detected on 5574 hosts, that is, approximately 5.5% of the total number:

• 4818 vulnerable to MITM
• 733 vulnerable to TLS full decryption
• 912 vulnerable to partial TLS decryption

898 sites are completely open for hacking, that is, they allow the injection of extraneous scripts, and 977 sites download content from weakly protected pages with which an attacker can interact.

Researchers emphasize that among the 898 “completely compromised” resources are online stores, financial services and other major sites. 660 of 898 sites download external scripts from vulnerable hosts: this is the main source of danger. According to the authors, the complexity of modern web applications repeatedly increases the attack surface.

Other problems were also found: 10% of the forms for authorizing problems with secure transmission of information that threaten to leak passwords, 412 sites allow for the interception of cookies and session hijacking, while 543 sites are subject to attacks on cookie integrity (through subdomains).

The problem is that in recent years a number of vulnerabilities have been identified in the SSL / TLS protocols and software: POODLE (CVE-2014-3566), BEAST (CVE-2011-3389), CRIME (CVE-2012-4929), BREACH (CVE -2013-3587) and Heartbleed (CVE-2014-0160). To protect against them, a number of server-side and client-side settings are required to avoid using old vulnerable versions. But this is a rather nontrivial procedure, because such settings involve the choice of an extensive set of ciphers and protocols that are difficult to understand. It is not always clear which sets of ciphers and protocols are considered “sufficiently secure”.

Recommended settings

There is no one officially approved and agreed list of recommended HTTPS settings. So, Mozilla SSL Configuration Generator offers several configuration options, depending on the required level of protection. For example, here are the recommended settings for the nginx 1.14.0 server:

Modern mode

Oldest supported clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; .... } 

Average support

The oldest supported clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

 server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /path/to/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; .... } 

Old support

The oldest supported clients: Windows XP IE6, Java 6

 server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /path/to/dhparam.pem; # old configuration. tweak to your needs. ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; .... } 

It is recommended that you always use the full cipher suite and the latest version of OpenSSL. The cipher suite in the server settings indicates the priority in which they will be used, depending on the client settings.

Research shows that it’s not enough to install an HTTPS certificate. “Although we don’t handle cookies like in 2005, and“ decent TLS ”has become commonplace, but it turns out that these basic things are not enough to ensure the security of a surprisingly large number of very popular sites,” the authors say . For reliable protection of the channel between the server and the client, you need to carefully monitor the infrastructure from your own sub-domains and third-party hosts from which content is supplied for the site. Maybe it makes sense to order an audit from some third-party company that specializes in information security.

---