Wednesday, April 09, 2014

Coto de Caza’s website gets a Failing grade from Qualys for its security protocols

While the Coto de Caza's website does not appear to be susceptible to the HeartBleed bug, it uses obsolete security protocols

Posted By CotoBlogzz

Rancho Santa Margarita, CA – Qualys, a pioneer and leading provider of cloud security and compliance solutions announced yesterday that its newly released tool can detect the OpenSSL HeartBleed vulnerability announced Monday, April 7, 2014

Using the Qualys tool, the CZ Master Association’s website gets a  grade of F.   So does its security company’s, Universal Protection (UPS) website

CZ Master Association's website rating

PG&E's website rating for comparison purposes

Other rated websites

Even if you have  never heard of OpenSSL, more than likely it is a part of your life in one way or another.  The Apache web server that powers more than 50% of the Internet’s web sites, for example, they use OpenSSL.

OpenSSL is an open-source implementation of the  Secure Sockets Layer (SSL)and Transport Layer Security ( TLS ) protocols.  While the Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication,  there is surprisingly little attention paid to how SSL is configured, given its widespread usage. SSL is relatively easy to use, but it does have its traps.

The HeartBleed bug was discovered and reported to the OpenSSL team by Neel Mehta of Google’s security team. OpenSSL released an emergency patch for the bug along with a Security Advisory yesterday.

 “The HeartBleed vulnerability is easy to exploit and there are already many proof-of-concept tools available that one can use in minutes,” said Ivan Ristic, Director of Engineering at Qualys and renowned SSL technology expert in a press release.  “After a successful attack, the attacker can obtain a large chunk of server memory, which can contain server private keys, session keys, passwords and other sensitive data. IT administrators need to map their exposure and install the patched version wherever necessary

I have written at length about my concerns with the privacy and security of sensitive information, in the CZ Master Association’s website.  So much so that I refuse to use it.  Now the newly released Qualys tool gives the site, aka a failing grade.  Mostly because, while the websites appear not to be vulnerable to the HeartBleed bug, they use obsolete SSL protocols

No comments: