OK you IT security guys

flipper35 · flipper35's Garage

Am I over reacting or is it a legitimate complaint.

We have a vendor that we use to check PHI via a Java applet. Whole other ball of worms for me, but not the crux of the current issue. The issue is they communicate with the Java applet to their website to check for updates and whatever else and the web site has no certificate. It communicates via HTTP not HTTPS and Java complains that it is not secure so the vendor says just put it in the exceptions list. I tell them spend the $70 for a two years cert for their website since no part of their web is secure. It strikes me as an easy way to compromise the information behind that IP and certs are cheap.

I can create a GPO to add the exception, but I don't feel I should have to because there is no reason they should not have a cert on their site.

What say you all ye smarter than me?

legion · 01-08-2019, 07:21 AM

Someone would have to spoof their DNS to take advantage of that vulnerability, no?

I know with my employer, that would be a complete and total no-go and grounds for the immediate termination of our contract with them. While certificates aren't all that great, they are better than nothing.

flipper35 · flipper35's Garage

At least with a certificate you aren't broadcasting in the clear. Without a certificate it is much easier to penetrate a web site to see what is behind it. Been there, done that and don't need to again.

RKDinOKC · RKDinOKC's Garage

If their Java applet is vulnerable then that makes access to your stuff vulnerable.

ie they provide secure passwords to get to your stuff, but their system is hackable to get the credentials.

john70t · 01-08-2019, 07:48 AM

^man in middle scenario?

biosurfer1 · 01-08-2019, 08:16 AM

Sure seems like a completely unnecessary gap when a $70 cert would at least make Java happy and add a little security.

flipper35 · flipper35's Garage

Quote:

Originally Posted by RKDinOKC

If their Java applet is vulnerable then that makes access to your stuff vulnerable.

ie they provide secure passwords to get to your stuff, but their system is hackable to get the credentials.

Here is the funny part. they have a local cert we have to install for the Java applet so it can communicate via port 2xxxx securely but the applet talks to the web site in the clear.

So I lock all the doors, but I have to leave the bay window out so I can see.

widebody911 · widebody911's Garage

This makes my head hurt.

They need to suck it up and move to ssl. Do not pass Go, do not collect $200. A self-signed cert is also not the answer.

widebody911 · widebody911's Garage

Quote:

Originally Posted by legion

While certificates aren't all that great, they are better than nothing.

I assume you mean while self-signed certificates aren't all that great

stomachmonkey · 01-08-2019, 08:37 AM

No excuse for that other than pure laziness which would make me wonder what corners are they cutting on the hard stuff?

Especially when you have solutions like https://letsencrypt.org

I'd be rethinking my relationship with this vendor and if you are in a position to dictate you should be squeezing their balls real hard.

flipper35 · flipper35's Garage

My recommendation was that it would be a deal breaker. Just got back from a meeting and brought it up with the Administrator and DoN. They are now thinking the same.

The head of IT that was there when we first started dealing with this said they have a cert for the website. I said no you don't. He said he was told they did. The new IT guy there says just do a GPO and bypass the security message. I said no, buy a cert. That is what brought me here, to see if I am being too paranoid.

HardDrive · 01-08-2019, 08:38 AM

PHI. No ssl. Un-freaking believable. How can that be HIPAA compliant?

flipper35 · flipper35's Garage

Quote:

Originally Posted by stomachmonkey

No excuse for that other than pure laziness which would make me wonder what corners are they cutting on the hard stuff?

Especially when you have solutions like https://letsencrypt.org

I'd be rethinking my relationship with this vendor and if you are in a position to dictate you should be squeezing their balls real hard.

I don't trust them at all. In my opinion they are: For one, they use a language that is no longer supported by major browsers. For two, they don't seem to understand the implications of being cheap here so where else are they being cheap. For three, if they aren't being cheap then they are being ignorant which is worse than cheap. JMHO.

I cannot cancel the project but I can and did highly recommend they find another vendor.

stomachmonkey · 01-08-2019, 08:54 AM

Quote:

Originally Posted by flipper35

...For three, if they aren't being cheap then they are being ignorant which is worse than cheap. JMHO.....

I share that opinion as I suspect many others would as well..

flipper35 · flipper35's Garage

Well at least if I am paranoid I am in good company.

svandamme · svandamme's Garage

without cert that automated crap of his is just that, crap
should not even be discussed.

Anybody can jump in the middle and have you machine update itself with payload.
Any machine can pretend to be that host.

id10t · 01-08-2019, 12:10 PM

Don't even have to buy a cert - the EFF and letsencrypt will give you one for free (I use 'em at home and on a few work machines)

HardDrive · 01-08-2019, 12:42 PM

Quote:

Originally Posted by flipper35

Well at least if I am paranoid I am in good company.

Asking people to be vaguely competent is not paranoia.

flipper35 · flipper35's Garage

Quote:

Originally Posted by id10t

Don't even have to buy a cert - the EFF and letsencrypt will give you one for free (I use 'em at home and on a few work machines)

I forwarded the link from SM to them. Will see if they will comply and earn our business. At this point I trust nothing they say.

John Rogers · 01-08-2019, 01:00 PM

If it were me, and some years ago it was the company I worked for was trying the same approach with letting customers check for updates and 9 times out of ten they would get them and never read the SQL instructions of other notes and we would have to do repairs. I finally convinced the CEO to stop with letting the customer get and try the updates. Then we did the Oracle method, we emailed them and provided a link to a secure (sort of) FTP site we had and it required them to use HTTPS which of course is only a small part of the whole security setup required.

Amazingly everyone ended up way happier aa year or so later. I had also implemented a short program to verify the software was not modified or any table/field changes to the database. If there was, we had to find out why (the SAP methodology)!