Insecure Encryption Algorithm - SSL/TLS
Need
Secure data transfer between client and server
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of Cowboy for HTTP request and response handling
- Usage of Plug package for building web applications in Elixir
Description
Non compliant code
config :my_app, MyApp.Endpoint,
https: [
port: 4001,
cipher_suite: :strong,
honor_cipher_order: true,
versions: [:'tlsv1', :'tlsv1.1']
]
In the insecure code example, the server configuration allows for the usage of insecure TLS protocol versions ('tlsv1' and 'tlsv1.1'). These older versions of TLS are known to have several security vulnerabilities that can be exploited to intercept and decrypt the communication between the client and the server.
Steps
- Update the server configuration to only allow secure TLS protocol versions (TLSv1.2 or TLSv1.3).
- Test the server after the changes to make sure that everything works as expected.
- Regularly update and patch the server software to make sure that it's up to date with the latest security standards.
Compliant code
config :my_app, MyApp.Endpoint,
https: [
port: 4001,
cipher_suite: :strong,
honor_cipher_order: true,
versions: [:'tlsv1.2', :'tlsv1.3']
]
In the secure code example, the server configuration only allows the use of secure TLS protocol versions (TLSv1.2 and TLSv1.3). This ensures that all the communication between the client and the server is encrypted using a secure encryption algorithm and prevents potential interception and decryption.