Security Penetration Testing Blog

Enable Perfect Forward Secrecy
Apr 03, 2021 / Borislav Kiprin

Perfect Forward Secrecy (PFS) is unavailable with the server configuration. If the TLS encryption is broken once, recordings of previous connections are not secure and may be decrypted.

Increase TLS Key Size
/ Borislav Kiprin

The security of a TLS connection heavily depends on the used keysize. If the size of the used key is too small, it becomes easy for an attacker to break the encryption.

Disable deprecated SSL Protocol Versions
/ Borislav Kiprin

An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered secure anymore. Make sure that your web server offers only recent and strong protocol versions.

Configure SSL Cipher Order
/ Borislav Kiprin

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an attacker could make use of an insecure SSL/TLS connection.

Manage TLS Warning
/ Borislav Kiprin

Your website produces an SSL/TLS warning. A warning from the SSL/TLS scanner does not indicate a direct vulnerability but highlights a potential issue that needs to be manually reviewed.

Enable Security Headers
/ Borislav Kiprin

Security headers can effectively prevent a variety of hacking attempts. You should consider headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

Disable SSL RC4
Apr 02, 2021 / Borislav Kiprin

The server supports RC4 (Rivest Cipher 4), which is a cipher stream that is considered insecure due to multiple known vulnerabilities.

Disable SSL Insecure Algorithm
/ Borislav Kiprin

One of your used encryption algorithms has severe security issues.

Prevent Ticketbleed
/ Borislav Kiprin

The proprietary F5 TLS stack is vulnerable to ticketbleed. It exposes 31 bytes per request to the attacker and will ultimately invalidate the encryption.

/ Borislav Kiprin

DROWN (Decrypting RSA with Obsolete and Weakened encryption) is an attack on the old SSL v2 protocol version. Read here, how you can prevent SSL DROWN.