Delivering security in 2017

SSL padlockDelivering secure and reliable services has been a top priority for developers since day one. Applying the best, most reliable technologies has always been the key to securing a client’s data and traffic. But, due to multiple vulnerabilities found in some core products used to encrypt data and traffic, security practices need to be revisited. 

The Heartbleed issue in OpenSSL shook the Internet in 2014 and made development teams pay more attention to the way they secure traffic. Modern browsers enforce more secure keys as the basis of SSL and warn users about sites that don’t employ this level of security. People can clearly see whether they are using a secure connection or not in the browser’s status bar. 

But when employing horizontal scaling, one HTTP request ends up going via multiple proxy servers. Even though the connection from your browser is secure, you never know how it’s handled after this – whether there are some third party services that may expose your data or maybe a backend service that uses an unencrypted connection and is traceable from outside.

Then there was the Cloudflare issue that was all over the news a couple of weeks ago. Cloudflare is a provider of cloud services for the security and scalability of Web applications. Due to code issues in their system, private information – including session tokens, API keys, logins and passwords – was leaked to random requests. To make matters worse, this data was picked up by search engines and made publicly available. Worse still, this was happening for couple of months before it was noticed – by accident!

This past February was a big month for bad security news. A team of researchers was able to create the first collision in the SHA-1 algorithm. In case you are not familiar with encryption and hashing, this means that two different files can yield the same hash. In theory, collisions are possible for most hashing algorithms, but the complexity of this sort of attack makes them impractical. When I started my Web development career, the MD5 algorithm was the fastest and most popular for hashing – until 2010 when collisions were discovered in it. Developers started looking for the next best thing and SHA-1 was a perfect match: SHA-1 is reasonably fast and reliable to fulfill the basic needs of password verification. 

Google and Mozilla are pushing boundaries by marking sites “Not Secure” when they utilize the HTTP protocol without SSL. This may give users a false feeling of security, but it affects only interactions between end consumers and the application’s front-end. Everything that happens with the request after this is known only to developers , potentially exposeing security threats within the application itself. Horizontal scaling of a Web application exposes multiple levels where data is being passed in an unencrypted state on an internal network.