Article Sidebar
This article presents a diagnosis of the application of digital certificates in the virtual banking services of Ecuador. The importance of this topic is based on the increasing attacks on electronic services of financial platforms in the region and the world, due to the exploitation of vulnerabilities discovered by cybercriminals in the weak application of cipher suites. The objective of the research is to show the level of security of these online banking portals (individuals), in the applicability of SSL/TLS protocols, with their respective cipher suites on the server side. Eighteen financial entities were analyzed using the online tool SSL Server Test by Qualys SSL Labs. It was found that 20% of the analyzed banking entities show weaknesses in the applicability of digital certificates, which could lead to cyberattacks on these virtual platforms during the client/server communication process over the internet. Confidentiality, integrity, and availability of data are indispensable characteristics of information security that a user should receive in the virtual banking service. Additionally, this work reviews the recommendations for the use of digital certificates according to the regulations issued by the IETF through the respective RFCs.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
References
Advisory, S. (2014). This POODLE Bites : Exploiting The. Google Security Blog. https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J. A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., & Shavitt, Y. (2016). Drown: Breaking TLS using SSLv2. Proceedings of the 25th USENIX Security Symposium, 689–706. https://drownattack.com/drown-attack-paper.pdf
Bleichenbacher, D. (1998). A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS textsfsymbol351. Proc. of Crypto ’98, 1462, 1–12.
Blog de Internet Security Auditors: Seguridad SSL/TLS: LUCKY 13. (n.d.). Retrieved January 7, 2024, from https://blog.isecauditors.com/2020/04/seguridad-ssl-tls-lucky13.html
Böck, H., Somorovsky, J., & Young, C. (2017). Return Of Bleichenbacher’s Oracle Threat (ROBOT). Cryptology EPrint Archive.
Centro Criptográfico Nacional. (2023). Guía de Seguridad de las TIC CCN-STIC 221 Guía de Mecanismos Criptográficos autorizados por el CCN. https://www.ccn-cert.cni.es/es/guias-de-acceso-publico-ccn-stic/6954-ccn-stic-221-guia-de-mecanismos-criptograficos-autorizados-por-el-ccn-1/file.html
Centro Criptológico Nacional. (2017). Guía de Seguridad de las TIC CCN-STIC 811. Interconexión en el ENS. https://www.ccn-cert.cni.es/es/series-ccn-stic/800-guia-esquema-nacional-de-seguridad/521-ccn-stic-811-interconexion-en-el-ens/file?format=html
Cisco. (2017). SSL Introduction with Sample Transaction and Packet Exchange - Cisco. 1–8. https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-socket-layer-ssl/116181-technote-product-00.html#anc6
CVE - MITRE. (2014). CVE Record | CVE. CVE - MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6593
Dell, K. M., & Farrell, E. S. (2021). RFC 8996 Deprecating TLS 1.0 and TLS 1.1. Internet Engineering Task Force, 3329, 8422. https://www.rfc-editor.org/info/rfc8996
Dierks, T., & Allen, C. (1999). The TLS Protocol Version 1.0 (Issue 2246). https://www.ietf.org/rfc/rfc2246.txt
Dierks T. and Rescorla E. (n.d.). The Transport Layer Security (TLS) Protocol Version 1.2 [RFC 5246]. Retrieved May 10, 2022, from https://www.rfc-editor.org/rfc/pdfrfc/rfc5246.txt.pdf
Factoring, F., & Export, R. S. A. (1990). Vulnerabilidad Freak de SSL. https://www.ecucert.gob.ec/wp-content/uploads/2021/07/Ficha-Tecnica-Freak-SSL.pdf
Hodges, J., Jackson, C., & Barth, A. (2012). HTTP Strict Transport Security (HSTS). In IETF - Internet Engineering Task Force. https://doi.org/10.17487/rfc6797
IBM. (2021). Cipher suite considerations when upgrading to TLS V1.2 - IBM Documentation. https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-cipher-suite-considerations-when-upgrading-tls-v12
Merget, R., Somorovsky, J., Aviram, N., Young, C., Fliegenschmidt, J., Schwenk, J., & Shavitt, Y. (2019). Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. USENIX Security Symposium.
OpenSSL. (2016). Memory corruption in the ASN.1 encoder (CVE-2016-2108). https://www.openssl.org/news/secadv/20160503.txt
Qualys, I. (2015). SSL Server Test. Projects. https://www.ssllabs.com/ssltest/
Rescorla, E. (2008). [ECC] TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM) [RFC 5289]. RFC 5289, 1–6. https://datatracker.ietf.org/doc/html/rfc5289
Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3 [RFC 8446]. https://doi.org/https://doi.org/10.17487/rfc8446
Ristic, I. (2017). SSL and TLS Deployment Best Practices. Wiki, 4(December), 1–14. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Ristić, I. (2014). Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications (Feisty Duck Limited (Ed.); Vol. 2015, Issue build 592). https://www.feistyduck.com/books/bulletproof-tls-and-pki/bulletproof-tls-and-pki-2ed-sample.pdf
Rizzo, J., & Duong, T. (2011). The Beauty (RC4) and The BEAST (TLS) – HACKMAGEDDON. Hakmagenon. https://www.hackmageddon.com/2011/09/25/the-beauty-rc4-and-the-beast-tls/
Sannegowda, Y. (2019). Zombie POODLE and GOLDENDOODLE Vulnerabilities | Qualys Security Blog. https://blog.qualys.com/product-tech/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
Sheffer, Y., Saint-Andre, P., & Fossati, T. (2022, November). Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). https://doi.org/10.17487/RFC9325
SSL Pulse. (2019). Qualys SSL Labs - SSL Pulse. SSL Pulse. https://www.ssllabs.com/ssl-pulse/
Statcounter. (2023). Desktop Windows Version Market Share Ecuador | Statcounter Global Stats. In Statcounter Global Stats. https://gs.statcounter.com/windows-version-market-share/desktop/ecuador/#monthly-202209-202309-bar
SUPERINTENDENCIA DE BANCOS. (2023). Calificación de Riesgo Instituciones Financieras. Web Page. https://www.superbancos.gob.ec/bancos/calificacion-de-riesgo-instituciones-financieras-2022/
The Internet Engineering Task Force (IETF). (n.d.). Introduction to the IETF. Retrieved January 5, 2024, from https://www.ietf.org/about/introduction/
The Internet Engineering Task Force (IETF). (2004). RFC 3749 - TLS Compression Methods. https://www.rfc-editor.org/rfc/pdfrfc/rfc3749.txt.pdf
Vaudenay, S. (2002). Security flaws induced by cbc padding – Applications to SSL, IPSEC, WTLS. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2332, 534–545. https://doi.org/https://doi.org/10.1007/3-540-46035-7_35
Young, C. (2019a). Introducing Zombie POODLE and GOLDENDOODLE. Tripwire. https://www.tripwire.com/state-of-security/zombie-poodle-goldendoodle
Young, C. (2019b). “TripWire Vert, What is GOLDENDOODLE Attack?” https://www.tripwire.com/state-of-security/goldendoodle-attack