[Owasp-topten] OWASP Top Ten

Larry Conklin larry.conklin at owasp.org
Sun May 14 23:09:47 UTC 2017


Dave and group hope you find this feedback on the Top Ten to be
constructive.

Feedback on candidate release OWASP TOP 2017

A5- Security Misconfiguration.



Stating that security misconfiguration in not enough. It does bring forth
the issues for developers and security professionals that important
security vulnerabilities exist in server and application configurations. It
does not address some large common security misconfiguration. OWASP Top Ten
cannot not address every misconfiguration and it shouldn’t. But I feel that
somehow within the OWASP Top ten we should address major Security
misconfigurations that are prevalent to web sites.



Websites, mail servers, and other TLS-dependent services fall exactly
within this gray zone. Right now we have a self-created crisis. Users are
taught wrongly that https means safe and the green lock in the url means
the web site is safe.  Yet evidence shows web sites are moving to TLS with
misconfiguration settings.



Some basic statistics. Per weak DH website. https://weakdh.org





Protocol

Vulnerable to Logjam

HTTPS — Top 1 Million Domains

8.4%

HTTPS — Browser Trusted Sites

3.4%

SMTP+StartTLS — IPv4 Address Space

14.8%

POP3S — IPv4 Address Space

8.9%

IMAPS — IPv4 Address Space

8.4%



 “The Logjam attack allows a man-in-the-middle attacker to downgrade
vulnerable TLS connections to 512-bit export-grade cryptography. This
allows the attacker to read and modify any data passed over the connection.
The attack is reminiscent of the FREAK attack, but is due to a flaw in the
TLS protocol rather than an implementation vulnerability, and attacks a
Diffie-Hellman key exchange rather than an RSA key exchange. *The attack
affects any server that supports **DHE_EXPORT** ciphers, and affects all
modern web browsers. 8.4% of the Top 1 Million domains were initially
vulnerable*."





Vulnerable if most common 1024-bit group is broken

HTTPS — Top 1 Million Domains

17.9%

HTTPS – Browser Trusted Sites

6.6%

IPv4 Address Space

25.7%

%IKEv1 (IPsec VPNs) — IPv4 Address Space

66.1%



“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for
Diffie-Hellman key exchange. Practitioners believed this was safe as
long as new
key exchange messages were generated for every connection. However, the
first step in the number field sieve—the most efficient algorithm for
breaking a Diffie-Hellman connection—is dependent only on this prime. After
this first step, an attacker can quickly break individual connections. This
computation against the most common 512-bit prime used for TLS and
demonstrate that the Logjam attack can be used to downgrade connections to
80% of TLS servers supporting DHE_EXPORT. *It has been estimate that an
academic team can break a 768-bit prime and that a nation-state can break a
1024-bit prime*. Breaking the single, most common 1024-bit prime used by
web servers would allow passive eavesdropping on connections to 18% of the
Top 1 Million HTTPS domains. A second prime would allow passive decryption
of connections to 66% of VPN servers and 26% of SSH servers. A close
reading of published NSA leaks shows that the agency's attacks on VPNs are
consistent with having achieved such a break.”



One issue we have with these vulnerabilities if the risk level Nation-state
resources are needed. After Shadow Brokers source code leak and WannaCry
ransomeware outbreak we have to review what vulnerabilities actually
require national-state resources.

The question is how do we dissimulate this information? I feel that the
breadth and reach of the OWASP Top Ten needs to have a layer beneath it on
some items/topics such as A5 Security Misconfiguration. I realize that some
topics like XSS have some many variables that we can’t reach the depth of
discussion needed. But on a sub-topic like SSL in A5 Security
Misconfiguration this can help OWASP Top Ten shine brighter and have a far
reaching affect.



Reference: https://www.trustworthyinternet.org/ssl-pulse/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170514/492d1585/attachment.html>


More information about the Owasp-topten mailing list