Insecure Encryption Algorithm - SSL/TLS - Elixir

Need

Secure data transfer between client and server

Context

Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
Usage of Cowboy for HTTP request and response handling
Usage of Plug package for building web applications in Elixir

Description

Insecure Code Example

config :my_app, MyApp.Endpoint,
  https: [
    port: 4001,
    cipher_suite: :strong,
    honor_cipher_order: true,
    versions: [:'tlsv1', :'tlsv1.1']
  ]

In the insecure code example, the server configuration allows for the usage of insecure TLS protocol versions ('tlsv1' and 'tlsv1.1'). These older versions of TLS are known to have several security vulnerabilities that can be exploited to intercept and decrypt the communication between the client and the server.

Steps

Update the server configuration to only allow secure TLS protocol versions (TLSv1.2 or TLSv1.3).
Test the server after the changes to make sure that everything works as expected.
Regularly update and patch the server software to make sure that it's up to date with the latest security standards.

Secure Code Example

config :my_app, MyApp.Endpoint,
  https: [
    port: 4001,
    cipher_suite: :strong,
    honor_cipher_order: true,
    versions: [:'tlsv1.2', :'tlsv1.3']
  ]

In the secure code example, the server configuration only allows the use of secure TLS protocol versions (TLSv1.2 and TLSv1.3). This ensures that all the communication between the client and the server is encrypted using a secure encryption algorithm and prevents potential interception and decryption.

References

016 - Insecure Encryption Algorithm - SSL/TLS

Last updated

2023/09/18