UiTM website SSL/TLS vulnerability and mitigation / Sufian Ibnu Hassan

Secure Socket Layer (SSL) / Transport Layer Security (TLS) protocol has become a standard way for establishing a secure communication channel in internet application. In recent years several vulnerabilities related to SSL/TLS protocol were disclosed. TLS is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deploy security protocol used today, and is used for web browsers and others applications that require data to be securely exchanged over a network, such as file transfers, Virtual Private Network (VPN) connections, instant messaging and Voice over Internet Protocol (IP). Implementation flaws have always been a big problem with any encryption technology and SSL/TLS is no exception. A variant of the attack has exploited certain implementation of the SSL/TLS protocol that doesn’t correctly validate encryption padding. In this paper, the researcher aims to disclose the vulnerabilities contained on the Universiti Teknologi Mara (UiTM) website and presents an analysis and evaluation of attack on SSL/TLS. Three tools (DNSRecond, SSLlabs.com and Auto Scanning to SSL Vulnerability A2SV) are used to test the output of a system without knowing the process inside the system itself. The experiments on UiTM website focused on SSL/TLS protocol and gathers information about existing SSL/TLS in the server. The experiments started with gathering information about the UiTM server using DNSRecond tool which is it perform top level domain scan. The result showed all server information, Domain Name Server (DNS), Mail Exchange (MX) and IP range in UiTM website. Secondly scanning the website using SSLlabs.com which is researcher discovered some vulnerability on the server such as certificate validity status and cipher suite weak. The last testing using A2SV tool which scan more detailed on vulnerability on the UiTM server. Additionally, in this paper dummy server testing scenario conducted to show how server handles invalid/expired SSL certificate. This experiment compared two type of browser chrome and internet explorer (IE). Researcher deployed invalid SSL certificate on both web browser and surprisingly IE validated certificate while chrome is otherwise. Based on the testing result information, researcher comes out with mitigation technique and compiled as a report that can be share with UiTM website administrator for better security implementation. In addition from the finding, researcher suggest that better tools and education programs for SSL/TLS security are needed to help UiTM administrator keep their system up-to-date with security patches.