SSL / HTTPS: Check Your Security Certificate and Safety

A coworker called me today saying that he was getting the following message when he tried to edit something on WordPress:

Your connection is not private

 Attackers might be trying to steal your information from www.yourdomainname.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

 Advanced [Back to safety]

I told him I had no idea what he was talking about. He said he was using Google Chrome on a Mac. So, I asked him to send me a screen capture. He did, and I could see that the green security lock was now red with an "x" through it. Also, the beginning of the web address was also red and had a strikethrough: https://

I asked him to click on the red "x" on the lock icon. He said there were two tabs: [Permissions] and [Connection]. I asked him to click on [Connection] and tell me what he saw.

He said that it read: "Your connection is using an obsolete cipher suite."

I asked him if he had updated his Chrome -- that it should automatically update, but could he check. He didn't know how. So, I asked him to click on Chrome's menu and to go to "About Chrome." He read me the version number and it seemed to be up to date except it may have been missing a few extra numbers. "Does it say anything else?"

"Yes, it says: Nearly up to date. Relauch Google Chrome to finish updating."

Well, duh. Problem solved.

---

While checking out his situation I came across a good site that will check your site's security certificates and for vulnerabilities.

• Quals SSL LABS

You just punch in your domain name, and the web page comes back with lots of information about your server's setup.

Apparently, there was a protocol called SSL 3, and it has been susceptible to something called the POODLE attack. Eliminating this earned me a B. But adding to the SSLCipherSuite list got me an A-. I don't want to be too specific about the settings because I really don't understand them too well, but Mozilla has 3 different lists of configurations here:

https://wiki.mozilla.org/Security/Server_Side_TLS

I checked our server's support site for information about this, Linode, and it said that we weren't necessarily vulnerable, however there was a suggestion to edit an Apache file to make sure the site is secure.

https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle

Is it safe and secure to send query string data using https / ssl URL?

When you send data using a query string, is it encrypted / hidden? 

Can anyone see my variable values when I submit with them using a web address / GET request?

I've been wondering this for a long while. And the answer is:

YES (probably).

In theory, your browser would do something like this:

• Read in your request: https://someaddress.com/?mypassword=bugsbunny&creditcard=123412341234
  
• Resolve the address to someaddress.com: 255.254.253.252
• Connect with the web server at that IP address (port 443) using a secure handshake with SSL.
• Transmit your encrypted request.
  
• Disconnect.

If that's good enough for your purposes, you're probably okay.

For example, PayPal allows authorized users to perform searches and make credit transactions like this all the time.

The main concern, in theory, appears to be the possible use of "sniffers," programs placed along networks that can read transactions. If the transactions are not encrypted, the data can be easily read.

The best suggestion is, if you have control over the program on the receiving end (not the case with PayPal), you could:

1. Encrypt your data on your local machine
2. Send that data via the https / SSL connection
3. Decrypt the data when it is received on the other end.

Don't take my word for it alone. Do you research. I can't imagine anything worse than losing your customers' trust, and having to answer to authorities for why you inadvertently exposed their personal data and financial information.