Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The software development team is implementing the web service in the RESTful style. HTTPS or TLS protects communication between browsers and webserver. Which of the following is the security issue that least concerns the software development team?
B. SQL Injection
C. Cross-Site Scripting (XSS)
D. Cross-Site Request Forgery (CSRF)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Heartbleed.
Heartbleed is a concern but the least concern among the four options because it is an implementation bug (CVE-2014-0160) of TLS Heartbeat extension in the OpenSSL cryptography library.
Vulnerability to Heartbleed is resolved by updating OpenSSL to a patched version (1.0.1g or later). The software development team doesn’t have to worry about the system-level patching work.
OpenSSL versions 1.0.1 through 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension that could be used to reveal up to 64 KB of the application’s memory with every heartbeat (CVE-2014-0160). By reading the memory of the web server, attackers could access sensitive data, including the server’s private key. This could allow attackers to decode earlier eavesdropped communications if the encryption protocol used does not ensure perfect forward secrecy. Knowledge of the private key could also allow an attacker to mount a man-in-the-middle attack against any future communications. The vulnerability might also reveal unencrypted parts of other users’ sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.
At its disclosure on April 7, 2014, around 17% or half a million of the Internet’s secure web servers certified by trusted authorities were believed to have been vulnerable to the attack. However, Heartbleed can affect both the server and client.
- The OpenSSL Project, Initial release 1998
- OpenSSL contains an open-source implementation of the SSL and TLS protocols.
- Date discovered April 1, 2014; 5 years ago
- Date patched April 7, 2014; 5 years ago
Protocol Published Status TLS 1.3 2018 TLS 1.2 2008 TLS 1.1 2006 Deprecation planned in 2020 TLS 1.0 1999 Deprecation planned in 2020 SSL 3.0 1996 Deprecated in 2015 (RFC 7568) SSL 2.0 1995 Deprecated in 2011 (RFC 6176) SSL 1.0 Unpublished Unpublished
POODLE (Padding Oracle On Downgraded Legacy Encryption)
POODLE is a design flaw in SSL 3.0, which “allows the padding data at the end of a block cipher to be changed so that the encryption cipher becomes less secure each time it is passed.”
When a TLS connection is unavailable, many browsers will revert to SSL 3.0 (downgrade). An attacker who wants to exploit POODLE takes advantage of this by inserting himself into the communication session and forcing the browser to use SSL 3.0.