Friday, May 30, 2014

Perfect Forward Secrecy: A love story


The fragile state of web application security has grabbed our attention in recent months with cryptography libraries in the forefront. The fallout from software defects with nicknames like GOTO FAIL and Heartbleed have led technologists to reconsider how they approach encrypting private information in transit. These bugs have also illuminated how difficult it is for the average user to understand modern information security.

As a systems administrator or a developer, one comes to dread catastrophic vulnerability disclosures, as rare as they are today. Whether it's on Microsoft's infamous Patch Tuesday or any other day in the open source world, brows are furrowed onto the first words of a disclosure through until they've assured themselves and their clients are not affected.

Our brows were not furrowed long when it came to Heartbleed. We took care of it immediately, notifying and patching all customers across our cluster by 9am the morning after. As we finished up the job, more than 50% of the top 1000 websites were still vulnerable.

We were grateful for our existing automation and tools, as well as the skills of our ops team. They enabled us to confidently move on with business as usual.

"Et, bien sur!" - because the very next day, we set off to Pycon 2014 in Montreal!


The event's timing was a great opportunity to see and contribute to the Python community's reaction to the recent Heartbleed disclosure and I was personally excited to grab beers with friends in the security community there. These discussions were certainly echoed around the world that week and in the months since, proving the need to take up new best practices and adopt more prudent safeguards on implementations.

In particular, Hynek Schlawack presented an excellent talk on The Sorry State of SSL- you can watch it, as well as other talks from the event, at The VM Farms team had already read about Hynek's recommendations for cipher suite best practices. Heartbleed motivated us to act decisively:

An attack against a server may also reveal the server's private master key, which would enable attackers to decrypt communications (future or past stored traffic captured via passive eavesdropping, unless perfect forward secrecy is used, in which case only future traffic can be decrypted if intercepted via man-in-the-middle attacks). -- Wikipedia

So, soon after we returned, our team enabled perfect forward secrecy across all our customers' servers. You can see the results of third party SSL testing yourself.

But for failings in Internet Explorer 9 & 10, it'd be an A+.

On the client side, if you'd like to learn more about the state of SSL/TLS at the sites you browse most frequently, these browser tools will help you remain vigilant.

SSL Observatory - The Electronic Freedom Foundation has a crowdsourced project to scrutinize the certificates used to secure all of the sites encrypted with HTTPS on the Web for potential fraud and attacks.
HTTPS everywhere - also by the EFF - will default your browser to use secure connections whenever they are available.

Calomel SSL Verification Plugin will validate SSL connection strength as you browse. The toolbar button will change color depending on the strength of encryption from red (weak) to green (strong).

VM Farms provides expert advice and smart operations on our own Canadian cloud. We've been glad to help our customers understand and mitigate risk. If you need an ops team, visit to learn more about why we're a different kind of hosting company.

No comments:

Post a Comment