Weak encryption is a real risk to data privacy and security. This article, based on Packet Detectives episode The case of the unknown TLS versions, shows how you can use packet capture (via Endace) and Wireshark to discover the outdated & vulnerable devices that exist on your network
Updates to TLS have significantly strengthened data privacy over the Internet with the introduction of perfect forward secrecy and stronger crypto ciphers in TLS 1.2 and TLS 1.3. Stronger cyphers, which are almost impossible to crack using modern computers, protects the privacy of sensitive data as it traverses the Internet.
Weak cyphers can leave sensitive transactions exposed to brute force attacks and man-in-the-middle (MitM) attacks. For example, your login credentials, password, or sensitive data that displays in your web browser may be exposed if a cybercriminal decrypts a TLS session can be decrypted. Its for this reason that the industry is rapidly moving to deprecate TLS 1.0 and 1.1.
Back in 2018, Google, Microsoft, Apple and Mozilla announced that their browsers will remove support for these outdated versions of TLS. Many cloud services, such as Office 365, have pledged to do the same.
To reduce the threat of these attacks and the consequences that accompany them, its essential that all of your devices, servers and applications are using the most recent versions of TLS (TLS 1.2 or later). But how can you tell what version of TLS encryption is being used? And how can you ensure that all of your connected devices and endpoints arent using outdated versions of the TLS protocol? Well walk you through the process of collecting network packet data using Endace and Wireshark.
Lets hash it out.
Its important to ensure recent versions of TLS are being used by all devices, servers and applications in the enterprise to reduce these threats. August 2020 data from SSL Labs shows that 65.5% of sites support TLS 1.2, whereas 32.8% support TLS 1.3. This data is based on the 150,000 most popular sites in the world (according to Alexas list).
But what decides which version of TLS the client and server use to communication? The version of TLS thats used to encrypt data is defined through a negotiation between the server and client where a handshake agrees on the strongest encryption that both can handle.
Hashed Out has broken down the TLS handshake process before. However, heres a visual overview of how that process works and the communications that take place between the client and the server as a quick reminder.
Every device that uses SSL/TLS including applications, networking elements, servers, IoT devices and endpoints must be updated with the latest software and/or OS that supports TLS 1.2 or greater. Furthermore, each device must be configured to deny connection requests at TLS 1.1 and lower.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
Thats because outdated and legacy devices become the weakest link for security and data privacy. Needless to say, tracking down all the devices in your enterprise and updating them can be a daunting task especially when just about every device connects to Wi-Fi and has a web interface!
Some firewalls can detect and block traffic by TLS version, so one solution is to block older TLS traffic in your network. However, blocking older versions of TLS without certain knowledge of who or what is using them can lead to nasty (and unintended) surprises.
Updating web browsers may not be enough to remove older TLS traffic. Many endpoints on the network use TLS including servers, software agents and IoT devices and all of these can also be outdated. Another approach is to observe what is happening on the network and identify where older TLS traffic is originating. Outdated TLS agents can then be identified and, if needed, updated or replaced before blocking traffic.
Server logs, event logs and monitoring systems dont necessarily track the TLS version, so an EndaceProbe is used to capture the TLS version negotiations. Packet capture gives a true and accurate picture of all network activity so nothing is missed or altered, and its hard to argue with (should that become necessary). The downside is without good methodology, a huge amount of data (thats difficult to use) can be collected and thats a lot of noise to sort through. But with the right steps, this process is easily managed.
First, create a filter on the EndaceProbe (for example, Port443) in a Wireshark-compatible syntax to capture Port 443 traffic. Set the filter to ignore any other traffic that you dont need.
Using smart truncation in addition to filtering will reduce the data volume even further by truncating data packets and leaving TLS handshake negotiations intact. This reduces the size of the capture file, which is easier to store and manage.
Apply the Port443 filter to a data pipe on the EndaceProbe and let that capture for a full day to get a typical traffic sample. Port 443 is strictly for HTTPS traffic.
You are now ready to analyze. You can get a quick overview, using the built-in investigation tool, where traffic on Port 443 is going. Microsoft One Drive traffic tops the list, which is not unexpected but take a look at that Tik Tok (musical.ly) traffic!
To get into more detail and look into the fields of the TLS Hello packets, youll need to use a tool like Wireshark. Limit the time window to work hours and extract the capture from the EndaceProbe. This results in a 48GB capture file.
You can further reduce the amount of data by applying a Wireshark read filter when opening the capture file. This limits what is read into tls.handshake.type packets with a type of 1 or 2 the handshake types for client and server Hellos and ignores items like certificate and key exchanges. This reduces the number of packets loaded into Wireshark from more than 5 million to about 42,000.
You can save time in Wireshark by using a profile. These examples use a Wireshark profile that has been created to filter by TLS version on the client or server. You can download this Wireshark profile from the Endace website.
During the handshake, the server will only go to the highest TLS version that the client supports. This means that a good starting point is to examine the Client Hellos first. If you look at the packet detail of a Client Hello packet, you can see the TLS version and maximum version capabilities of that client.
The capture shows the actual TLS version in use and the clients using it. Many things can influence the TLS version used. For example, a web browser requesting an older TLS version may be due to a cookie from the last conversation, or maybe a non-browser software agent or device is in use.
If outdated clients are found, there may be much work yet to be done, but at least you now know with some certainty where the problem areas are.
The server makes the final determination of which TLS version is used by selecting the highest version that both client and server support. You can list servers using Wiresharks statistics and endpoints, and then apply Limit to display using the filter, so only those servers using TLS 1.1 or older are listed. This will allow you to further narrow down on the specific traffic youre targeting.
At this stage, you can export a list of servers from Wireshark (in CSV or YAML format) that might need updates. By switching your filters and endpoints, you can identify other areas that may need attention. The best case is to get everything up to TLS version 1.3. However, there is some urgency to eliminate the use of TLS versions below 1.2 (and the vulnerabilities that accompany them).
Applying Wireshark with a sound methodology and filtering gives an effective and efficient way to analyze TLS use in your network. When combined with untamperable packet capture, you can build a detailed, complete and certain picture of what is going on in your network that enables change without guess work. As a result, you can start addressing TLS issues where they originate, before blocking activity at the network level.
By identifying the weakest links in your network, you get on with eliminating them, without any unpleasant surprises and without managing irate users complaints.
This article was co-written with Betty DuBois, Chief Detective for Packet Detectives, an application and network performance consulting and training firm based in Atlanta, GA. DuBois has been solving mysteries since 1997. Experienced with a range of hardware and software packet capture solutions, she captures the right data, in the right place, and at the right time to find the real culprit. Check out bettydubois.com to learn more or to contact her.
- US Department of Justice reignites the Battle to Break Encryption - Naked Security - October 17th, 2020
- Five Eyes Call for Tech World to Weaken Encryption - ClearanceJobs - ClearanceJobs - October 17th, 2020
- Zoom Begins Rollout of End-To-End Encryption - My TechDecisions - TechDecisions - October 17th, 2020
- Could homomorphic encryption be the solution to big data's problem? - Siliconrepublic.com - October 17th, 2020
- U.S., UK and other countries warn tech firms that encryption creates 'severe risks' to public safety - CNBC - October 17th, 2020
- Is Signal secure? How the messaging app protects privacy - Business Insider - Business Insider - October 17th, 2020
- AeroVironment and Viasat to aim to improve radio encryption for Puma AE - Flightglobal - October 17th, 2020
- Encryption Backdoor? The Trump Administration Wants It. - The National Interest - October 17th, 2020
- How to use private conversations on Skype to send encrypted calls and messages - Business Insider India - October 17th, 2020
- AES Encryption Software Industry Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - October 17th, 2020
- Trustifi Named Overall Encryption Solution Provider of the Year in 2020 CyberSecurity Breakthrough Awards Program - GlobeNewswire - October 17th, 2020
- ACLU and EFF Call DOJ's Encryption Dream a Nightmare - L.A. Weekly - October 17th, 2020
- Global Database Encryption Market Expected to reach highest CAGR in forecast period : International Business Machines Corporation, Symantec... - October 17th, 2020
- Feds, 'Five Eyes' Allies Take Another Swing at Encryption Policy Changes - MeriTalk - October 13th, 2020
- Homomorphic encryption tools find their niche - CSO Online - October 13th, 2020
- Mission Impossible: 7 Countries Tell Facebook To Break Encryption - Forbes - October 13th, 2020
- Dutton pushes against encryption yet again but oversight at home is slow - ZDNet - October 13th, 2020
- Western governments double down efforts to curtail end-to-end encryption - The Daily Swig - October 13th, 2020
- Fuse Analytics integration with StrongSalt offers Enterprise Information Archiving with GDPR protections - PR Web - October 13th, 2020
- Is Signal Safe? What to Know About the New Encrypted Messaging App - Parentology - October 13th, 2020
- Five Eyes alliance warning: 'Encryption creates severe risks to public safety' - New Zealand Herald - October 13th, 2020
- Privateness or youngster safety? 7 governments, together with US & UK, argue Fb's new encryption plan would profit PEDOPHILES - Editorials 360 - October 13th, 2020
- Optical Encryption Market Analysis And Demand With Forecast Overview To 2025 - Express Journal - October 13th, 2020
- Encrypted messages don't always stay private. Here's what that means for you - CNET - October 11th, 2020
- EARN IT Act a Dire Threat to Encryption, Speech Online, Critics Say - Decrypt - October 11th, 2020
- Analyzing Impacts of Covid-19 on Cloud Encryption Software Market Effects, Aftermath, Global Industry Challenges, Business Overview and Forecast To... - October 11th, 2020
- Parts of the Election System Are Ripe for Hacking: 'Encryption? We Don't Do That' - Josh Kurtz - October 6th, 2020
- WikiLeaks led the way for newsrooms to use encryption to protect sources, says Italian journalist - ComputerWeekly.com - October 6th, 2020
- Global Encryption Software Market 2020 Industry Size, Shares and Upcoming Trends 2025 - Reported Times - October 6th, 2020
- Encryption Software Market 2020 2027: Recent Trends, Growth Opportunities and Business Development Strategies By IBM, Trend Micro, Symantec, McaFee,... - October 6th, 2020
- Encryption Key Management Market Research By Growth, Competitive Methods And Forecast To 2026 - The Daily Chronicle - October 6th, 2020
- Global Hardware-based Full Disk Encryption Market Size, Share, Trends, CAGR by Technology, Key Players, Regions, Cost, Revenue and Forecast 2020 to... - October 6th, 2020
- Global Encryption Software Market 2020 | Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Top Companies:... - October 6th, 2020
- Stay Tuned with the Epic Battle in the Encryption Key Management Market - The Daily Chronicle - October 6th, 2020
- Hardware-based Full Disk Encryption Market To Drive Highest Growth By 2027 With Leading Key Players: Seagate Technology PLC, Western Digital Corp,... - October 6th, 2020
- Encrypted USB flash drive you can unlock with your smartphone (or Apple Watch) - ZDNet - October 6th, 2020
- Global Mobile Encryption Market is slated to grow rapidly in the coming years: McAfee(Intel Corporation), Blackberry, T-Systems International, ESET,... - October 6th, 2020
- Cloud Encryption Software Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2026 - The Daily Chronicle - October 6th, 2020
- Best Encryption Software in 2020 - Latest Quadrant Ranking Released by 360Quadrants - PRNewswire - September 30th, 2020
- 4 Reasons Why Encryption Is a Must for Data Protection - CIOReview - September 30th, 2020
- Prospective Node Operators Stake $125M in ETH to Participate in NuCypher Encryption Network - CoinDesk - Coindesk - September 30th, 2020
- Fortanix Partners with VMware to Enable Cloud Service Providers to Deliver Data Security as a Service - GlobeNewswire - September 30th, 2020
- SanDisks latest portable SSDs have boosted speed and security - The Verge - September 30th, 2020
- What Facebook users need to know about end-to-end encryption - Fast Company - September 30th, 2020
- Whats really up with your secure WhatsApp chats - Mint - September 30th, 2020
- Hardware Encryption Technology Market Trends Together With Growth Forecast To 2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Market- Industry Analysis and forecast 2020 2027: By Industrial verticals, Services, and Region. - Unica News - September 30th, 2020
- Global Hardware-based Full Disk Encryption (FDE) Market to Witness a Pronounce Growth During 2020-2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Technology Market with (Covid-19) Impact Analysis: Growth, Latest Trend Analysis and Forecast 2026 - The Daily Chronicle - September 30th, 2020
- Global Email Encryption Software Market Report 2020-2027: Production Capacity and Consumption Analysis by Regions and Country Wise - Crypto Daily - September 30th, 2020
- Cloud Encryption Service Market 2020 | Detailed Analysis, Growth, Research and Forecast - The Daily Chronicle - September 30th, 2020
- Database Encryption Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2027 - The Daily Chronicle - September 30th, 2020
- Optical Encryption Industry 2020 Includes The Major Application Segments And Size In The Global Market To 2026 - The Daily Chronicle - September 30th, 2020
- Hardware Based Encryption Market Projected to Be Resilient During 2020-2025 - The Market Records - September 30th, 2020
- Hardware Encryption Market (2020-2026) | Where Should Participant Focus To Gain Maximum ROI | Exclusive Report By DataIntelo - Crypto Daily - September 30th, 2020
- Ring plans to offer end-to-end encryption by the end of the year - The Verge - September 29th, 2020
- Encryption Software Market Comprehensive Study With Key Trends, Major Drivers And Challenges 2020-2026 - The Market Records - September 29th, 2020
- Ring to offer opt-in end-to-end encryption for videos beginning later this year - TechCrunch - September 29th, 2020
- WhatsApp Encryption Is Not Foolproof; Chats Can Be Accessed In These Ways - Yahoo India News - September 29th, 2020
- Hardware-based Full Disk Encryption (FDE) Market Forecast to 2027 Covid-19 Impact and Global Analysis by Type, Deployment Type and Industry Vertical... - September 29th, 2020
- EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption - Techdirt - September 29th, 2020
- Encryption Software Market Report Examines Growth Overview And Predictions On Size, Share And Trend Through 2025 - The Daily Chronicle - September 29th, 2020
- Russia Is Trying Something New to Isolate Its Internet From the Rest of the World - Slate - September 29th, 2020
- Network Encryption Market From 2020-2026: Growth Analysis By Manufacturers, Regions, Types And Applications - The Daily Chronicle - September 29th, 2020
- Encryption Software Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Top Technologies To Achieve Security And Privacy Of Sensitive Data In AI Models - Analytics India Magazine - September 29th, 2020
- Database Encryption Market Analysis and the Impact of COVID-19 Key Vendors, Growth Rate and Forecast To 2028 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Technology Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Market 2020 Global Share, Growth, Size, Opportunities, Trends, Regional Overview, Leading Company Analysis And Forecast To 2026 |... - September 29th, 2020
- WhatsApp says end-to-end encryption to protects chats among app however not cloud backups - Stanford Arts Review - September 29th, 2020
- Cloud Encryption Market 2020-2028 Research Report| Know The Growth Factors and Future Scope - The Daily Chronicle - September 25th, 2020
- Cloud Encryption Market to Witness Astonishing Growth by 2026 | Ciphercloud, Gemalto, Hytrust and more - Crypto Daily - September 25th, 2020
- One Way to Prevent Police From Surveilling Your Phone - The Intercept - September 25th, 2020
- COVID-19 Impact on Global Encryption Software Market Report to Share Key Aspects of the Industry with the details of Influence Factors - Scientect - September 4th, 2020
- Encryption Software Market: Regional Overview and Trends Evaluation to 2026 - Fractovia News - September 4th, 2020
- Encryption Software Market is Expected to reach $2.16 billion by 2020| Growing at a CAGR (compounded annual growth rate) of CAGR of 14.27% from 2014... - September 4th, 2020
- WD unveils encrypted ArmorLock SSD that unlocks using your smartphone - 9to5Toys - September 4th, 2020
- Encryption Software Market report, upcoming trends, share report, growth size, industry players and global forecast to 2025 - Galus Australis - September 4th, 2020
- COVID-19 Impact on Global Encryption Software Market: Global Industry Analysis by Size, Share, Growth, Trends and Forecast 2020 2025 - The Daily... - September 4th, 2020
- Hardware Encryption Technology Steady Growth to be Witnessed by 2019-2029 - The News Brok - September 4th, 2020