{"id":187,"date":"2016-03-01T11:14:55","date_gmt":"2016-03-01T16:14:55","guid":{"rendered":"https:\/\/freezion.com\/?p=187"},"modified":"2016-03-01T11:14:55","modified_gmt":"2016-03-01T16:14:55","slug":"drowning-in-bad-crypto","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=187","title":{"rendered":"DROWNing in bad crypto"},"content":{"rendered":"<p>If you are still running SSL to &#8220;protect&#8221; your website at all, you need to shut it off. Yes, really.<\/p>\n<p>If you have\u00a0some kind of load balancer in front of\u00a0your server, disable SSL on that also.<\/p>\n<p>Using SSL on a mailserver? Kill it there too.<\/p>\n<p>SSL is seriously broken (see: <a href=\"https:\/\/en.wikipedia.org\/wiki\/CRIME\" target=\"_blank\" rel=\"noopener\">CRIME<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security#BEAST_attack\" target=\"_blank\" rel=\"noopener\">BEAST<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/BREACH_(security_exploit)\" target=\"_blank\" rel=\"noopener\">BREACH<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/FREAK\" target=\"_blank\" rel=\"noopener\">FREAK<\/a>, and now <a href=\"https:\/\/www.drownattack.com\/\" target=\"_blank\" rel=\"noopener\">DROWN<\/a>). It does <strong>not<\/strong> protect data, though it may appear to.<\/p>\n<p>If you want to keep data safe configure your system to use TLS only, enable <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP_Strict_Transport_Security\" target=\"_blank\" rel=\"noopener\">HSTS<\/a>, and accept only strong cipher suites. Sound complicated? It&#8217;s really not.<\/p>\n<p><a href=\"https:\/\/cipherli.st\/\" target=\"_blank\" rel=\"noopener\">Here<\/a> are some configuration examples to get you rolling.<\/p>\n<p>TL;DR:<\/p>\n<blockquote class=\"imgur-embed-pub\" lang=\"en\" data-id=\"p2OHb0R\"><p><a href=\"http:\/\/imgur.com\/p2OHb0R\">View post on imgur.com<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/s.imgur.com\/min\/embed.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are still running SSL to &#8220;protect&#8221; your website at all, you need to shut it off. Yes,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-hacking","category-musing"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=187"}],"version-history":[{"count":0,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}