TLS 加密之重要性
資料來源: http://www.openfind.com.tw/taiwan/markettrend_detail.php?news_id=6777
巴拿馬事件凸顯 TLS 加密之重要性
產業現況
近日,國際調查記者同盟(ICIJ)所揭露的巴拿馬文件外洩案一事,引起全球企業的高度關注。由於自巴拿馬律師事務所 Mossack Fonseca 所外洩的資料量多達 2.6TB,在資安史上的資料外洩記錄可說是前所未見。根據外國媒體 Wired 報導指出,Mossack Fonseca 的網路漏洞有三項主要的因素。首先,該事務所使用的電子郵件服務 Outlook Web Access 自 2009 年後已未進行更新。第二,入口網站存在著 DROWN 安全漏洞,可透過 SSL 2.0 協定漏洞去攻擊採用 TLS ( Transport Layer Security ) 協定的安全連結,且該網站自 2013 年後未更新安全性漏洞,以至於暴露在風險之下。第三,電子郵件並未使用 TLS 加密協定,導致駭客有機可趁而利用竊聽的方式將所有信件一覽無遺。上述提及的三項原因中,有兩項跟加密協定有所關聯。究竟加密協定的重要性在哪?運作原理是什麼?就是今天所要探討的主要項目。
加密始終是重要的議題
信息加密的起源,可追溯至幾千年前,打從人類在傳遞信息時意圖隱藏某些資訊時就已存在。信息加密的迷人之處在於,經過加密後並不會使得信息消失不見,而是使原本的信息以另一種格式或者符號存在,唯有知道規則的人才可以解析其內容。而隨著網際網路的快速發展,信息的傳遞,也由書信往來轉變成網路封包的交換,為了保護傳輸內容中的私密資訊,加密方式也變得更加複雜與精密,傳輸加密協定也因此誕生,而最常見的加密協定有 SSL 和 TLS 兩種。
SSL 開啟加密協定紀元
SSL (Secure Socket Layer ) 是 Netscape 公司所開發出的加密協定,是利用一種建立加密通道的方式,保護在網路上面傳輸的資料,以確保只有在這些資料到達目的地的時候,才會被對方看到。SSL 協定採用數位憑證來檢驗網站是否為傳送端所指稱的目的地站台,數位憑證必須是由憑證授權單位 (Certificate Authority) 所發行,且憑證授權單位必須保證憑證資訊的有效性。此外,數位憑證也有特定的有效期限。
SSL 存在嚴重的安全性漏洞
SSL 協定存在許多版本。SSL 1.0 因為設計上存在嚴重的安全性漏洞,所以從未公開過。SSL 2.0 於 1995 年 2 月發布,但因存在數個嚴重的安全性漏洞而被 SSL 3.0 所取而代之。SSL 3.0 曾成為 HTTPS 的主流,但在 2014 年 10 月,Google 在 SSL 3.0 中發現安全漏洞 (POODLE attack),建議禁用此協定。
TLS 標準化提升安全性
TLS (Transport Layer Security)的前身其實就是 SSL。後來 IETF (Internet Engineering Task Force) 將 SSL 進行標準化,1999 年公布了第一版 TLS 標準檔案。之後在瀏覽器、電子郵件、即時通訊、網路傳真等應用程式中,廣泛支援這個協定。目前已成為網際網路上保密通訊的工業標準。現有 TLS 1.0、TLS 1.1 及 TLS 1.2 等版本。
TLS 取代 SSL 成為加密協定標準
事實上,TLS 的本質是設計用來取代 SSL 的,且其版本定位為 SSL 3.1。在技術面上它們之間只存在極少部份的差異,說到這其實大家心裡一定會有問題浮現,那為何還要創造一個新協定出來?答案就是 SSL 原本是由 Netscape 公司所建立的,是一個封閉性且只屬於 Netscape 的協定。一般的社群並不能將其隨意修改,更無法檢驗它的安全與否。於是 IETF便重新定義了 TLS 協定,也因為 TLS 是公開的,所以任何人都可自由使用並為它加以註解。
不同加密協定不同的世界
雖然 SSL 和 TLS 的協定十分相似,但是 SSL 和 TLS 之間的資料是無法相互交換和使用的。這也意謂著,要是郵件主機只使用 TLS 協定時,它並不能接受採用 SSL 協定的郵件主機或用戶端,這也是為什麼即使 SSL 協定並不安全,許多的郵件伺服器還是會支援 SSL 協定的主要原因。
加密協定漏洞之防範
加密協定的防範,可分為兩部分來探討。一部分是郵件主機間的傳輸,另一部分是郵件主機與用戶端間的連線。當兩台郵件主機進行溝通時,若一台主機使用 SSL 加密協定,將迫使另一台主機必須也要使用 SSL 協定才能進行資料傳輸,這時若遭駭客利用工具竊聽網路封包,原本的加密傳輸將形同虛設,而郵件主機與用戶端之間的傳輸 ( SMTP、POP3 或 IMAP4 收發信時),亦存在同樣的風險。所以 Openfind 建議,無論是郵件主機或用戶端應用程式,都選擇 TLS 加密的協定進行傳輸以確保安全。
針對上述探討之議題,MailAudit 其實早已做好了萬全準備,除了支援 TLS 加密協定外,更提供具備政府資安防護標準之高規格郵件加密服務,讓機密資料得到最妥善的防護。Openfind 希望能夠結合高強度的開發技術以及服務維運的經驗,提供客戶一個安全、可靠的全方位解決方案。
Date source: http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems
The security flaws at the heart of the Panama Papers
The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
The law firm at the centre of the Panama Papers hack has shown an "astonishing" disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.
Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.
On its main website Mossack Fonseca claims its Client Information Portalprovides a "secure online account" allowing customers to access "corporate information anywhere and everywhere". The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal's backend can also be accessed by guessing the URL structure, a security researcher noted.
Mossack Fonseca's webmail system, which runs on Microsoft's Outlook Web Access, was last updated in 2009, while its main site runs a version ofWordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca's site simply by guessing the URL.
"It shows the way they configured the server and the way they configured the website is not within the best security practices," an anonymous source told WIRED. They continued to say that the method could be used by other people to access the data. "We're talking about a misconfigured server that enables directory listings.""I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. The awareness of the risk and how easily these services can be attacked seems to not have been there."
Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out "an in-depth investigation with experts", while also taking "additional measures" to strengthen its systems. In a leaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonseca has since said the leak was not "an inside job" and that the company had been hacked by servers based abroad. The company did not respond to requests for comment."I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. The awareness of the risk and how easily these services can be attacked seems to not have been there."
Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out "an in-depth investigation with experts", while also taking "additional measures" to strengthen its systems. In a leaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonseca has since said the leak was not "an inside job" and that the company had been hacked by servers based abroad. The company did not respond to requests for comment.
Professor Alan Woodward, a computer security expert from Surrey University told WIRED that Mossack Fonseca's front end seemed "horribly" out of date. "I can't understand this," Woodward continued. "Take something like Outlook Web Access – if you keep your Exchange Server up to date this just comes along naturally. They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned that they were communicating using such outdated technology."
Mossack Fonseca's emails were also not encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLSsecurity protocol. "Given the business they're in, I find it quite surprising that they haven't thought about securing their emails better," Angela Sasse, professor of human-centred technology at University College London, told WIRED.
"I would regard TLS encryption as okay for a not very high risk organisation, if it is done properly and looked after. The awareness of the risk and how easily these services can be attacked seems to not have been there."
Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out "an in-depth investigation with experts", while also taking "additional measures" to strengthen its systems. In aleaked email to customers Mossack Fonseca confirmed an "unauthorised breach" of its email servers. Company partner Ramon Fonseca has since saidthe leak was not "an inside job" and that the company had been hacked by servers based abroad. The company did not respond to requests for comment.