8/24/2015

SSL / HTTPS: Check Your Security Certificate and Safety

A coworker called me today saying that he was getting the following message when he tried to edit something on WordPress:

Your connection is not private
 Attackers might be trying to steal your information from www.yourdomainname.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
 Advanced [Back to safety]
I told him I had no idea what he was talking about. He said he was using Google Chrome on a Mac. So, I asked him to send me a screen capture. He did, and I could see that the green security lock was now red with an "x" through it. Also, the beginning of the web address was also red and had a strikethrough: https://

I asked him to click on the red "x" on the lock icon. He said there were two tabs: [Permissions] and [Connection]. I asked him to click on [Connection] and tell me what he saw.

He said that it read: "Your connection is using an obsolete cipher suite."

I asked him if he had updated his Chrome -- that it should automatically update, but could he check. He didn't know how. So, I asked him to click on Chrome's menu and to go to "About Chrome." He read me the version number and it seemed to be up to date except it may have been missing a few extra numbers. "Does it say anything else?"

"Yes, it says: Nearly up to date. Relauch Google Chrome to finish updating."

Well, duh. Problem solved.

---

While checking out his situation I came across a good site that will check your site's security certificates and for vulnerabilities.
You just punch in your domain name, and the web page comes back with lots of information about your server's setup.

Apparently, there was a protocol called SSL 3, and it has been susceptible to something called the POODLE attack. Eliminating this earned me a B. But adding to the SSLCipherSuite list got me an A-. I don't want to be too specific about the settings because I really don't understand them too well, but Mozilla has 3 different lists of configurations here:
https://wiki.mozilla.org/Security/Server_Side_TLS
I checked our server's support site for information about this, Linode, and it said that we weren't necessarily vulnerable, however there was a suggestion to edit an Apache file to make sure the site is secure.

https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle

No comments :

Post a Comment