As we all know, communication-related data – especially in corporations – belongs to the most sensitive of all information groups. The newly surfaced KRACK attack brought up another attackable angle which reminded us: how can we help our customers to make sure they run a secure environment?
We want to encourage all our customers to secure their installations with the best security principles possible to protect their data from malicious attacks, which is why we hereby post a small 5-step checklist to make sure you are safe, even if your WPA2 implementation might still be vulnerable to KRACK.
These recommendations yet are not exclusive to KRACK but should be mandatory with any installation. This way, you make sure that your connection from your mobile or desktop device is protected.
So now how do I secure my data transport in 5 steps?
1. Use a modern web server. Don’t stick with an outdated webserver – Many attacks regarding web servers have been surfacing over the last years. The best approach is to make sure you are running a still-maintained distribution and receive distribution updates. Running system updates in a regular manner is key to make sure security fixes make it into your system.
2. SSL encryption is mandatory. Make sure you have SSL configuration enabled and do not use any insecure ciphers. Many SSL protocols are nowadays rated insecure as there are documented ways in attacking such SSL streams by examples such as Heartbleed, FREEK or BEAST. Turning off SSL Compression makes sure you are protected against CRIME attacks (https://en.wikipedia.org/wiki/CRIME).
SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLCompression off
3. Use HSTS ( https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security )
Header always set Strict-Transport-Security "max-age=31536000"
HSTS allows web servers to declare that any web browser should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. This way HTTPS is enforced already from the beginning and a user cannot by mistake access the defined web page via HTTP. This helps to protect from cookie hijacking and protocol downgrade attacks.
4. Implement Certification Authority Authorization (CAA)
Think of it like a second-factor for your used certificate, this makers sure that DNS records are also used for verification and provides another integrity check for the used certificate.
A great small introduction can be found here: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
5. Verify your SSL-enabled installation with https://www.ssllabs.com – this double-checks your security and you can aim for a great A+ score for your SSL-based security.
When following these instructions, it does not really matter on which (even unencrypted) network you are connected with, your data stays safe from prying eyes.
There are many other, additional steps you can take which we will cover in a more extensive security whitepaper, but these steps above already get you into the range of having a setup configured that’s better than 99% of the SSL installations you can find nowadays. As a disclaimer, we want to make sure you do understand that transport security is just one (yet the most dangerous in terms of exposure) factor. Also please note that this setup requires modern clients, this means very old Android versions for example, like 2.3.7 up to 4.2.2 are not able to connect.
Our intention is – at a later time – to deliver a nice fully-featured security checklist in which we shall cover not only transport encryption as in this blog article.
Enjoy and stay safe!