Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
-
Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!
-
Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!
@stefano Well, one actual risk is that an adversary in the middle can theoretically inject (rather replace) data, so that the web site as delivered to the client (user agent) ends up containing something which you never intended.
It's easy to think of one's web site as "meh, nothing fancy, nothing dynamic, no biggie" but consider the case of an adversary e.g. injecting malware or cryptominer Javascript.
Whether this is a *significant* risk is, of course, a very different question.
-
R relay@relay.mycrowd.ca shared this topic
-
Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!
@stefano the risk could be an on-the-fly modification of server response by a man-in-the-middle to inject payload and attack the client. Depending on the type of users it can range from «totally non-existant risk» (no motive, no gain) to «may be» (user base is a very interesting target, the attacker can monetise the attack).
The bar is pretty high anyway, it’s most probably a non-relevant risk. -
Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!
@stefano sounds like you are missing something. I’d run my eye over it again and use some static scanning tools to see what is in the http headers and what a security scan can learn. Sucuri have a decent scanner for free on their site.
-
Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.
Yes, it accepts them. But it's a static website that simply provides some information about the company. Nothing critical, nothing dynamic. No data is exchanged. There is no login.
We had already tightened everything up a few months ago (for me it's literally a one-line change), but they later told me that some visitors could no longer access the site and asked me to revert it. Probably older devices, but there are plenty of those out there. I know organizations that still use Windows 7, and I still occasionally see some XP clients around.
So now I explained to the client that we have two possible choices: accept the "risk" (which, frankly, I'm not entirely sure what it would be, since even if someone decrypted the traffic they would see nothing that isn’t already visible by simply visiting the page normally), or lock it down again, potentially cutting off some devices, just like what happened a few months ago.
The choice is theirs. We’ll see!
@stefano risk is often subjective. As you say, static site and as long as it ring-fenced, what is the worst that can happen? With very low concequemlnces, the risk should be acceptable especially as the mitigations inhibit the purpose of the site for some.
A knife is a hazard and it can kill people but will it jump off the table and do so unaided? Even falling off the table is unlikely to bring injury.
