logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure encryption algorithm - SSLContext - Python

Need

Implementation of secure encryption algorithms for SSLContext

Context

  1. Usage of Python 3 for scripting and software development
  2. Usage of SSL for secure communication over the network

Description

Insecure Code Example

import ssl
ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

In the code snippet above, we're creating an SSLContext object and specifying the protocol as `ssl.PROTOCOL_SSLv23`. This is a problem because `ssl.PROTOCOL_SSLv23` allows the use of SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3, depending on what the client and server support. SSLv2 and SSLv3 are considered insecure due to several vulnerabilities, such as DROWN for SSLv2 and POODLE for SSLv3. Therefore, using `ssl.PROTOCOL_SSLv23` can potentially allow connections that are not secure. The use of this insecure encryption algorithm can lead to various security issues like Man-in-the-Middle (MitM) attacks, where an attacker intercepts and possibly alters the communication between two parties without their knowledge. This can lead to data leakage, data tampering, and various other security threats.

Steps

  1. Identify the insecure SSL protocol being used in the SSLContext object.
  2. Replace the insecure SSL protocol with a secure one. The recommended protocol is TLS, specifically the latest version of TLS that your system supports.
  3. Test the updated code to ensure that it works as expected and that the secure protocol is being used.

Secure Code Example

import ssl
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)

The original code was using the `ssl.PROTOCOL_SSLv23` protocol, which is considered insecure. This protocol is outdated and has several known vulnerabilities that can be exploited by attackers to decrypt secure connections. The updated code replaces the insecure `ssl.PROTOCOL_SSLv23` protocol with the `ssl.PROTOCOL_TLSv1_2` protocol. TLS (Transport Layer Security) is the successor to SSL and is currently the most secure protocol for establishing secure connections. Specifically, `ssl.PROTOCOL_TLSv1_2` is one of the most secure versions of TLS available. This change ensures that the SSLContext object is using a secure protocol, which helps protect your secure connections from potential attacks. After updating the code, it's important to test it to ensure that it works as expected and that the secure protocol is being used.

References

  • 147 - Insecure encryption algorithm - SSLContext

    • Last updated

    2023/09/18