Insecure encryption algorithm - SSLContext
Need
Implementation of secure encryption algorithms for SSLContext
Context
- Usage of TypeScript for statically typed JavaScript development
- Usage of Express for building web applications and APIs
- Usage of HTTPS for secure communication over the network
- Usage of fs for file system operations
Description
Non compliant code
import * as express from 'express';
import * as https from 'https';
const app = express();
const options = {
key: fs.readFileSync('private-key.pem'),
cert: fs.readFileSync('public-cert.pem'),
secureProtocol: 'SSLv3' // Vulnerable SSL protocol
};
const server = https.createServer(options, app);
app.get('/', (req, res) => {
res.send('Hello World!');
});
server.listen(3000, () => {
console.log('Server listening on port 3000');
});
The vulnerability in the provided code is the use of the insecure SSLv3 protocol in the secureProtocol option when creating the HTTPS server. SSLv3 has been proven to be insecure and susceptible to various attacks, such as POODLE (Padding Oracle On Downgraded Legacy Encryption).
By using SSLv3, the code allows for the possibility of an attacker being able to decrypt the traffic at the back-end level, compromising the confidentiality and integrity of the data being transmitted.
To address this vulnerability, it is recommended to use only secure encryption protocols with secure algorithms, such as TLSv1.2 or higher.
Steps
- Update the secureProtocol option to use a secure encryption algorithm such as TLSv1.2 or higher.
- Replace the SSLv3 protocol with a secure protocol like TLSv1.2 or higher.
- Ensure that the private key and public certificate files are securely stored and accessed.
- Consider using a more secure method to load the private key and public certificate files, such as using environment variables or a secure key management system.
- Test the updated code to ensure that the secure encryption algorithm is being used and the vulnerability has been addressed.
Compliant code
import * as express from 'express';
import * as https from 'https';
import * as fs from 'fs';
const app = express();
const options = {
key: fs.readFileSync('private-key.pem'),
cert: fs.readFileSync('public-cert.pem'),
secureProtocol: 'TLSv1.2' // Updated to use TLSv1.2 protocol
};
const server = https.createServer(options, app);
app.get('/', (req, res) => {
res.send('Hello World!');
});
server.listen(3000, () => {
console.log('Server listening on port 3000');
});
The fixed code addresses the vulnerability by using a secure encryption algorithm, specifically TLSv1.2.
First, the code imports the necessary modules: express, https, and fs.
Then, an instance of the express application is created.
The options object is defined, which includes the key and cert properties. These properties specify the private key and public certificate files required for SSL/TLS encryption. The secureProtocol property is set to 'TLSv1.2', ensuring that only the TLS version 1.2 protocol is used.
Next, the https.createServer() method is called with the options object and the app instance. This creates an HTTPS server that will handle secure connections.
The app.get() method sets up a basic route for the root URL, which will respond with the message "Hello World!".
Finally, the server is set to listen on port 3000, and a message is logged to the console indicating that the server is running.
Overall, this fixed code ensures that only the secure TLSv1.2 protocol is used for encryption, mitigating the vulnerability associated with insecure encryption algorithms.