Cookies that are not marked as secure can be transferred via an unencrypted connection. A man-in-the-middle attack can be used to get the contents of these cookies.
A correct configured TLS encryption makes sure, that your users only get content from your web application that does not tamper with and cannot be eavesdropped on. Learn here, how you can secure your TLS Configuration.
The domain certificate is expired or will expire closely. An expired certificate will result in error messages for the web application’s users.
he SSL LUCKY13 is a cryptographic timing attack that can be used against implementations of the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols using the Cipher Block Chaining (CBC) mode of operation. This can also be considered a type of man-in-the-middle attack.
The CRIME (Compression Ratio Info-leak Made Easy) attack is a vulnerability in the SSL compression. The attack against secret web cookies sent over compressed HTTPS or SPDY connections leaves cookie data vulnerable to session hijacking.
A server vulnerable for BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) allows an attacker to decrypt cookie contents such as session information. Learn here, how you can prevent SSL BREACH.
There is no SSL/TLS encryption enabled on your server. All traffic to your web application is transported via unencrypted channels. This leaves your users vulnerable to man-in-the-middle attacks.
Perfect Forward Secrecy (PFS) is unavailable with the server configuration. If the TLS encryption is broken once, recordings of previous connections are not secure and may be decrypted.
The security of a TLS connection heavily depends on the used keysize. If the size of the used key is too small, it becomes easy for an attacker to break the encryption.
An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered secure anymore. Make sure that your web server offers only recent and strong protocol versions.
Copyright © Crashtest Security GmbH 2021. All rights reserved.