(This post includes both the first two posts of “SSL in Israel” because it is published after both were already published in Hebrew, so there is no reason for separate posts. The first one was published on the 16-March-2017 and the second at the 28-May-2017)
The post for version 1
“SSL in Israel” is a mini-project that I decided upon after I was fed up. I’m tired of seeing companies and organizations, including some of the largest and richest in Israel, who do not implement SSL and TLS very well, to say the least, for reasons I do not know and hope they are good (but I cannot believe it is so).
(Yes, I know that it is recommended not to use SSL at all but only TLS, but SSL rhymes well with “Israel” and most people, especially the unskilled in the field, mainly know this name – so I will use this name, For the benefit of this project)
I use Firefox extension named Calomel SSL Validation (Firefox plugin , plugin site – unfortunately I have not found a similar extension for Google Chrome), which shows how good is the implementation of SSL at the site where the user is visiting, including a grade the plugin gives to the website.
Quite a few times I get a fever when I see sites that store and transfer customer sensitive personal information – without using the best encryption capabilities we have at our disposal today – so the bottom line is that as a client of some of these organizations I feel that the source for this situation is one or more of the options of disregard, carelessness, lack of professionalism, avarice, cowardice, and so on, and I thought it was time to surface this status to the public to know who is doing encryption good and who is not, so the public will know who invest in protecting their data and who is not, and maybe, just maybe, organizations who need to improve – indeed will do better as soon as this information will be publicly available in one place, compared to other websites of companies/organizations in the same field, who do a better job.
So how is it going to be done?
- I will scan various Israeli sites with the excellent service of SSL Server Test by “Qualys SSL Labs” on behalf of Qualys. This service allows anyone to run a scan, anonymously, against a named website on the Internet (such as www.google.com) (but not against IP addresses based on numbers only) and receive a report about the site’s SSL/TLS implementation status.
– I do not have an exact definition of what do I mean by “Israeli sites” – it refers mainly to sites that serve mainly Israelis and/or have a site name suffix related to Israel (such as .il or co.il and so on), with emphasis on those who affect many people and/or have special meaning
- I will maintain an Excel file (in XLSX format) containing the main findings of the scan reports (if you do not have Excel then there is a free Microsoft software that will allow you to view the file – Excel Viewer)
– The file will be in English, as it is the global ICT language, so there should be no problem with this. And no, there is no intention of translating the file into Hebrew in the future
– the file includes a main worksheet called “Matrix” that includes the main table of findings and a worksheet called “General” that includes references to technical-professional information about the scan and tests that the SSL Labs site performs, how to improve the level of encryption and general information about encryption.
Update, 18-March-2017: The Excel worksheet named “General” changed his name to “Guidance” and a new worksheet was added and named “General” – it includes the file’s version number and release date that the file’s version, so we can know if a file has changed, and perhaps even compare versions
– The file will not include all fields that exist at the SSL Labs report, but only the fields that I count as important/central and/or those that included anomalous results
- The file will be uploaded to the Google Drive website and will be accessible without any need for identification or Google Account, anonymously, and it will be downloadable in its original form
– Anyone who will open the link to the file when he/she are already logged into Google with a Google account – they will also be able to watch an online version of the file in a “Google Sheet” format, which looks much better in a browser
– The file is allowed to be freely distributed
– The file will always contain only the most recent data, no historical records of sites condition will be preserved. The goal is to push forward and not overwhelm the file with unnecessary information
– There may be a discrepancy between the results of a scan run by you and those listed in the file because it may be that since I updated the relevant record, changes have been made, whether in the SSL Labs testing system or in the way SSL/TLS is implemented at the reviewed site
– The direct link to the file is https://drive.google.com/open?id=0B6EGT8h1mYlbWEd5Z285QWdIakE . I also created a shorten link that eventually leads to the full link – https://tinyurl.com/SSL-In-Israel
- I also hope to occasionally post here updates and insights from this file
From time to time I may also do independent tests of my own to make sure that the site operators have not manipulated it to make sure that the SSL Labs test reports are producing good results while the real-life implementation is not doing as well… If you encounter such a situation – I urge you to report this to me
In addition to the SSL Labs test site, there are several other sites that perform similar tests, and I had to use one when one site could not be scanned by SSL Labs. These sites will be used by me if for various reasons the SSL Labs website cannot be used. The sites are:
– SSL Server Test by “High-Tech Bridge” (which also allows you to select a destination that is a numerical IP address)
– TLS & SSL Checker by the site of “Online Domain Tools” (which also allows you to select a destination that is a numerical IP address and also select any port number that is not necessarily 443, which is the common port for HTTPS)
– Comodo’s COMODO SSL Analyzer (Which also allows you to select a target that is a numerical IP address)
At the moment, I started with the main sites of banks and credit card companies in Israel. You’ll see that for some reason, especially the small banks do a good job, while the big banks and the three credit companies are less… interesting why…
Here are some initial and general insights from the findings of the first version of the file (35 sites were examined):
– On the positive side, no site is still using SSL from any version. The rest is less positive…
– 22 sites (62%!) Do not use Forward secrecy (following FS), which dramatically increases the level of encryption, and enabling it only requires an action of choosing the appropriate Ciphers and placing them at the top of the list of the server encryption protocols (although there may be implications for server performance)
– 8 sites (22%) do not support the latest version of TLS, version 1.2. Why? It is not clear
– 7 sites (20%) do not support version 1.1 of TLS. Why? It is not clear. 6 of them also do not support version 1.2, meaning that they were satisfied with version 1.0 alone
– 3 sites (8%) are vulnerable to POODLE attack in TLS
– 8 sites (22%) are still using outdated and weak RC4 Ciphers
– There are only a few sites that support only one Cipher. Single and lonely. Amazing.
– There are several sites that run only a few Ciphers. Also amazing.
– 26 sites (74%) do not use HSTS response header, which allows the browser to connect to the site only using the secure HTTPS encrypted link
In general terms, the distribution of the final scores for sites is as follows:
A+ – 2 Sites (5%)
A- – 2 Sites (5%)
A – 5 Sites (14%)
B – 5 Sites (14%)
C – 18 Sites (51%!)
F – 3 Sites (8%)
(The sum of the percentage values amounts to 97% due to rounding of the percentage calculations downwards to the nearest whole percentage)
I would be happy if you spread the news about the existence of this project and its Excel file, especially to those who, in your opinion, can enhance the SSL/TLS status of the web sites they are in charge of.
I hope that together we can improve the current situation.
If you would like to contact me about this project – you can do so through the appropriate form on this site
I wish us all good luck with this project!
The post for version 2
So here we are, reaching version 2 of “SSL in Israel”.
Unfortunately, I am still only in the private financial sector, so the information is only relevant to it, although on the other hand it should be a leading sector in Information Security, so it’s a kind of a realistic representation of the bad situation.
Here is what has changed in this version of the file:
- The number of records increased from 35 to 203
- I added a “serial number” column, so each entry will have its own unique ID number throughout its lifetime
- I added a column of “Sector” to help sort and filter by general association of the reviewed site – for example, public, government and private
- I added 3 columns that relate to the site’s digital certificate – is there a match between the certificate “name” and the site’s domain name, is the certificate valid in terms of date-time and if SHA1 is used for signing any of the certificates in the trust chain of the certificate
- I added a column indicating whether weak/old Ciphers were used
- I added a column called “Other Known Vulnerability by the report?”, which is intended to inform about other vulnerabilities found in the report (such as that the content of the root of the site is a login page to the site’s administration)
- I removed the column of “HSTS”. I decided that this parameter is not important enough to be included in the file
- I added a worksheet called “Disclosures”, where I manage my communication with sites’ owners about the vulnerabilities found at each of their sites according to the report. Notice – Vulnerabilities, not a scan report low score (such, thank God, there is plenty…)
- I added a worksheet called “Security Contacts”, which lists how and to whom vulnerabilities can be reported for a site/organization’s system/site, but it is limited only to sites I had to report vulnerabilities to
- I added a worksheet called “Matrix – Archive” to which I move sites that have ceased to be relevant for testing – such as sites that no longer have a DNS record or don’t have HTTPS access to them anymore
- I added a worksheet called “Stats – Grades” that contains a statistics table of grades that are originated from the main worksheet
- I added a sheet called “Pivot Chart – Grades”, which is a dynamic pivot table based on the spreadsheet mentioned in the previous section above
- I added a worksheet called “Stats – Protocols – Singles”, which lists the distribution of the use of each unique instance of a cryptographic protocol, such as “SSL, version 2, active/inactive” or “TLS, version 1.1, active/inactive”
- I added a worksheet called “Pivot – Protocols – Singles”, which is a dynamic pivot table based on the worksheet mentioned in the previous section above
- I added a sheet called “Stats – Protocols – Combinations”, which includes a table and a chart of the distribution of protocol groups that are a complete SSL implementation on the site, such as “SSL from versions 2 and 3 are inactive and all TLS versions are active”
Some insights from the process:
- The grades that I believe should be the minimal normal, A or A+, together account for only 18% of the sites (16% and 2% respectively), which is of course a bad situation because 82% have less than desirable grade
- Most of the sites with a grade less than the desired minimal normal, received a grade of C (29%)
- There are still sites running SSL from version 3, 6 of them, 1% of the sites tested
- On the positive side, SSL from version 2 was not found…
- TLS version 1.0 is the most popular version of TLS, and there are quite a few sites who support ONLY this version out of the three versions of TLS
- Two-thirds of the sites (66.33%, 130 sites) use the classic combination of no SSL at all and all three versions of TLS
- The next group is far below, only 18.37%, 36 sites, and operates only TLS version 1.0, with no other TLS and no SSL. Why? I guess this is the default settings of a related system that no one bothered to check nor fix
- At the third place, 5.61%, 11 sites, share two groups: one is only running TLS version 1.0 and 1.1. And that’s it. And the other only TLS versions 1.0 and 1.2. Why? The God of encryption has the answers. This seems to indicate a lack of thought in the implementation of the encryption of these sites
- The more I progress in this project, the more I realize how great the need for such a project is. The reality of SSL/TLS implementation in the field is bad, thus it should be illuminated and surfaced to the world to know about and move into action to improve it
- The process of reporting to organizations about vulnerabilities on their websites… <heartbreaking sigh here>. How much banks fear negative publicity about them. I had two phone calls with more or less implicit threats. A colleague who works with several banks hinted me gently that you do not do such things, and you cannot know what the outcome will be, and that this process is risky for me and he does not want me to get hurt because of it, and so on…
The least pleasant conversation was with the CISO of a bank, one that I sent him information about a severe problem of exposure to the Internet, a problem they solved very quickly, and I just wanted to make sure they even got my message about the exposure, so I managed to get the number of his mobile phone and I called him. He threatened me not to reveal the name of the bank and what I had found, even though this breach had already been blocked by them. Of course it was published in this version of the file.
- With the exception of one CISO, from a credit card company, no person or entity officially confirmed, on its own initiative, that it had received the report and of course – no person or entity was thankful for the report. The same nice CISO even encouraged me to send him more findings if I will find any. A single saint in Sodom
- Another problem is the absence of a dedicated and organized process for organizations, facing of the world with a will to receive reports of information security problems they may have. At most, there is a reference to technical support or customer service, in most cases as a web form on their main web site and sometimes via an email address, and sometimes nothing… In many cases I had to turn to colleagues and ask for the contact details of relevant people in the organization.
God, it’s not that I asked for a Bug Bounty with a reward, just a web page in the style of “If you found an information security problem – this is our policy below, this is how you can connect with us (phone, email, HTTPS form), and hey – here is our public digital certificate, in case you want to encrypt the email you send us, we will be happy if you will do so”), and then follow a full customer service style process of an automated reply email – “Thank you, we received your report, here is your reference number for tracking. We will return to you with an initial reply within X business/calendar days” (I think there are no business days at hacking, the attackers do not work like that…), and then keep in touch with the reporter until the incident is resolved.
Really – check yourself, scan, attack your systems ASAP, before someone else does it, and protect yourself in advance.
Prevention is preferred over repair.