Secure Code Warrior

Coders Conquer Security: Share & Learn Series - Insufficient Transport Layer Protection

Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection.

Even if you have completely secured an application server and the backend systems it uses, communications might still be vulnerable to snooping if you have insufficient transport layer protection. In the physical world, the reason that hard currency is moved around using armored cars is to provide protection while it's in transit. It really doesn't matter how secure a store or a bank is if the money it generates is being loaded into a golf cart for a drive across town.

The same can be said of transport layers in the cyber realm. Even if an application is secure, there is still a critical vulnerability if the information coming into it is sent with no protection. And there is a second vulnerability with some apps if they additionally send information to other servers or a database. That information might be exposed to insiders who have no business snooping those transactions.

To fully protect users and data requires protecting the transport layer. Only by doing that can you fully secure an entire transaction from end to end.

In this episode, we will learn:

  • How hackers can exploit insufficient transport layer protection
  • Why not protecting the transport layer is so dangerous
  • What can be done to secure the transport of all data moving into and through an application or server.

How do Attackers Exploit Insufficient Transport Layer Protection?

Insufficient transport layer protection can enable attacks at two points within your data stream. The most commonly exploited spot sits between a user and the application server. If information is sent in the clear, or with weak encryption, then hackers will be able to monitor, steal and possibly change that information. This might allow hackers to steal a user's credit card, their login credentials or anything else sent into the application server. Even if the server itself is secure, a hacker monitoring the unsecure channel between it and users could get nearly unrestricted access to a lot of information.

The second point which is often left unprotected is the transport layer between an application and the rest of the network. For example, an application server might process online shopping orders and then send them on to a fulfillment system, or data might simply be offloaded to a database for storage. If those internal channels are unprotected, inside users might be able to see that information.

While it's nice to believe that all internal users are good people, the fact is that insider threats are on the rise in a lot of industries. Insiders have been caught taking bribes in return for collecting sensitive information for attackers or competitors. And having access to something like thousands of valid credit cards might simply be too tempting for some people to ignore.

In terms of attack techniques, it's not very difficult to intercept unprotected communications. Even low level hackers know how to perform man-in-the-middle attacks against unencrypted data streams. If they don't, there are videos online that can train them in less than half an hour.

Why are Insufficient Transport Layer Protection Vulnerabilities so Dangerous?

Having insufficient or nonexistent protection on transport layers is dangerous because it makes it extremely easy for hackers to gather sensitive information. They don't have to break into your app server or hack your network. They simply set up a man in the middle attack and read everything being sent into a server from users. This can include usernames and passwords which can be used to bypass security in the future using valid credentials. Depending on the application, this might also include credit card information or other personal data about users.

And it's important to note that all of this snooping is taking place outside of your network. If you are using insecure transport channels, there is no way to know if someone is capturing that information. Normally the first sign is when lots of users begin reporting compromised accounts or credit card purchases, and the common factor is your application " not a good spot to be in. Hackers can also modify information once they have it, changing the delivery address for example, or even inserting malicious scripts into the server response before passing it along to users.

On the backend, failure to secure the transport layer exposes data to insiders. It's probably a lot less likely that an insider is snooping the transport layer compared to hackers from the outside doing the same thing. But its also more dangerous if it happens, because the insider threat will be able to see not only the user data, but also any proprietary information added by the app server before sending those packets along.

Eliminating Insufficient Transport Layer Protection Vulnerabilities

As dangerous as insufficient transport layer protection can be, it's also not incredibly difficult to properly secure all of your transport channels. It starts with the backend infrastructure. This should be exclusively HTTPS, be sure not to mix HTTPS and HTTP on a site. Finally, maintain a valid SSL certificate with a minimum key size of 2048 bits while forcing all users to interact using secured browsers with HTTP Strict Transport Security (HSTS).

Once the infrastructure is in place, developers should use a strong protocol to protect the transport layer. Ideally TLS 1.2 should be used, though TLS 1.1 and 1.0 are also acceptable if absolutely necessary. Once that is in place, weak protocols like SSLv2 should be completely disabled and never supported.

Care should also be taken to ensure that cryptographic ciphers are sufficiently powerful on the backend. Ideally, the minimum session key size should be 128 bits. Like with protocols, support for weak cryptographic algorithms such as DES and RC4-40 should be disabled. And finally, don't consider an application truly secure until both the server itself and all the data paths leading into and out of it are sufficiently protected.

More Information about Insufficient Transport Layer Protection Vulnerabilities

For further reading, you can take a look at the OWASP guide to protecting transport layers. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.