[Interest] Clarification on network security

Roland Hughes roland at logikalsolutions.com
Sun Jun 16 02:16:17 CEST 2019


On 6/14/19 5:00 AM, Bob Hood wrote:
> 1. By itself, is the implicit use of OpenSSL by the QSslSocket class on the
> server side sufficient to secure data communications between both endpoints?

The short answer is no. Sadly, it is what you will find in most places.

Neither TLS nor SSL are secure nor can they ever be. They are 
architecturally flawed.  You can pull down software from The Dark Web 
which when run on a hokey little $80 2-in-1 sold by Walmart can, in 15 
minutes or less, unpackage anything sent via SSL and caught via most 
forms of sniffing. In well under an hour using the same hokey laptop it 
can penetrate pretty much any SSL/TLS secured access point.

You can even get free OpenSource packages to "evaluate" your solution.

https://tools.kali.org/information-gathering/tlssled

The real question is what are you securing?

A chat engine? Who cares? People on those things routinely give out 
their mother's maiden name, name of their first pet and the closest 
relative living farthest from them. In the immortal words of Ron White 
"You can't fix stupid."

The level of security must go up with the level of value. The flip side 
of this is the openness of access must go down.

You cannot have anything called "secure" on the Internet accessible via 
a standard browser. This is why many banks and brokerage firms are 
moving to 2-stage connection verification and custom browser plug-ins.

2-stage is really (*^)(*&)ing annoying, but if you have an account 
enabled for wire transfer or any other Internet access which could pull 
money out, it really is the way to go. The 2-stage is you do your normal 
username/password/verification question on each login, then you prompt 
them to choose email or phone for an N-digit one time code. Once they 
enter it you drop a short life cookie (sometimes one connection, other 
times one day, never more than a week) which lets it work for a little 
while.

The 2-stage is the industry finally admitting SSL/TLS are 
architecturally flawed and can never be made secure.

Moving up in security you create a plug-in for popular browsers 
(Firefox/Chrome/Opera) on popular platforms (Linux/Android/forget about 
security on Windows). After a user has created an account with you they 
must be on a supported platform and install the browser plug-in to continue.

Honestly, you can make it a plug-in or you can make it a stand alone 
app. If all you are using is SSL/TLS it isn't secure, you just protected 
their password a touch better.

The plug-in/app works old school, like you are used to. Data is both 
shuffled and encrypted before transmission. If you are using only one 
encryption method with only one seed for the life of the connection, 
consider yourself hacked before they installed the app/plug-in.

You can use standard 3rd party encryption libraries, but what you cannot 
have are any two packets encrypted with both the same seed and 
encryption method. Yeah, they are going to sniff your packets. Yeah, 
there are all kinds of free tools on the Internet to peel that SSL right 
off there. After that, they have to start from ground zero with every 
packet. The biggest flaw in old school data transmissions was the 
single-method-single-key for entire file or comm session. Evil doers 
only had to crack one packet for the rest of them to be easy as knocking 
over dominoes. Some of the older encryption libraries even left 
tell-tale signatures in the encrypted packet so at a glance they could 
tell what method was used. Making it an exercise of just finding the 
proper seed. When you have a million PC bot-net at your disposal it 
generally takes more time to distribute the work than it does to get the 
answer.

Before anyone thinks "Oh, it's only email," think again. In order to 
gain access to much larger and more secure companies, hackers are 
targeting the emails of their mom & pop service providers.

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

This is a reality which may cause some good intentioned laws, forcing 
major companies to assign a certain percentage of outside business to 
small/minority owned companies (mom & pop basically). These companies do 
not have the skills or the checkbooks to properly secure computers and 
their network. They are increasingly becoming a liability. At some point 
firms the size of Target and up will be financially ahead to just write 
a check to the small companies and get their services from a major firm 
which can secure everything.

Sad but true. The intention was "Hey, be a good corporate citizen. Give 
some of the small jobs like servicing your HVAC and plumbing to local 
small companies." It made sense and built good will. It was a small 
risk. They either could or couldn't do the job. You could manage for 
that. You can't manage for them being the entry point of a breach which 
costs north of $50 million to clean up.

Just my 0.002 cents.

-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593  (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com




More information about the Interest mailing list