Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. In a meeting, you suggest that the solution shall not support legacy browsers and SSL even though it would lose the market coverage of browsers. As a security professional, which of the following is your primary concern to do so?
A. To prevent web pages from distortion due to insufficient support of HTML5 and CSS3
B. To mitigate the threat exploiting the vulnerability of the heartbeat extension
C. To avoid attackers using the protocol padding vulnerability to decrypt the ciphertext.
D. To stop attackers from using the nonce to break the encryption key
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. To avoid attackers using the protocol padding vulnerability to decrypt the ciphertext.
- POODLE is a protocol design flaw of block cipher padding in SSL.
- Heartbeat is an extension to TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS.
- Heartbleed is an implementation bug of buffer over-read on the TLS Heartbeat extension in OpenSSL.
- Web pages distortion is a primary concern of the user experience instead of security.
- Using the nonce to break the encryption key is a distractor.