I've been keenly aware of SSL/TLS settings on web servers for the past 9 years. Mainly because securing websites has been a big part of my job, and part of that is keeping up to date with the latest threats to SSL/TLS encryption in websites. Periodically PCI/DSS standards change which means I have to scramble to implement improved SSL/TLS standards for the websites owned by the company I work for. One of the tools I use to test my own servers is SSL Labs by Qualsys!
Those of you that have been following my blog for years know about it since I write about it periodically.
Well, one of the things I like to do is check other websites and see how their SSL/TLS stands up. Are they secure enough? Should I trust them? You get the picture.
I decided to test 6 of the top social media sites out there to see if they cut the mustard! Here they are:
Twitter
Coming in at the best secured social media site with a beautiful A+ rating is Twitter! I can't complain about that at all. Well done!
The social media site for professionals did fairly well with an A rating. They got dinged a little for not having DNS CAA settings which in short tells browsers which SSL certificates are authorized for use by that particular domain. It is a really easy to setup, so there isn't a good reason not to have that done. They also got dinged for weak ciphers. Still though, not a bad rating.
Probably the king of social media, and often slammed for their draconian censorship is Facebook with a trash rating of B! They were capped at a B because they still support TLS 1.0 and 1.1 which was depreciated by PCI/DSS a couple of years ago. They also accept the RC4 cipher which is garbage. More on that after the rest of the ratings.
Snapchat
The app used by teenage girls and basic bitches on Tinder! I've said it before, your animal Snapchat dating profile picture isn't cute! Knock that shit off! Anyway, they were capped at a B rating too! At least they turned off RC4...
Instagram is a favorite of mine. I like what their filters can do for some of the pictures I take while out hiking, or spending time with friends and family. Still though, their encryption is't great since they were capped at a B as well. That isn't very surprising since they were bought out by Facebook.
TikTok
Finally we have TikTok. My daughter has me addicted to this silly video social media app! I wasn't going to use it but she kept texting me various videos and I was tired of opening up the links in my phone's browser. Now I love it! Still though, their security sucks as bad as Facebook with a B rating. At least they don't support RC4!
Per Qualsys:
Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+.
Why RC4 Sucks
Again, from Qualsys:
RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses. After the BEAST attack was disclosed in 2011, we—grudgingly—started using RC4 in order to avoid the vulnerable CBC suites in TLS 1.0 and earlier. This caused the usage of RC4 to increase, and some say that it now accounts for about 50% of all TLS traffic.Last week, a group of researchers (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt) announced significant advancements in the attacks against RC4, unveiling new weaknesses as well as new methods to exploit them. Matthew Green has a great overview on his blog, and here are the slides from the talk where the new issues were announced.
The funniest part about some of these sites still supporting RC4 is that the above blog quote from Qualsys was written in 2013! There is no good reason for anyone to still be using it at this point!
Conclusion
So should you stop enjoying these social media sites because the ratings aren't all A+? Not really. Most of these servers support strong ciphers in preferred order. That means as long as you are using updated applications and modern browsers, you are most likely connecting using the strongest ciphers and TLS versions offered by the servers. You will be fine. On top of that, most of the info you put out on social media isn't that secure anyway.
This is more of an indictment of their security and systems engineers, and I'm calling them out to do better and try harder. It's not that difficult to get at least an A rating! It also pushes your customers to improve their security as well by not allowing them to keep using legacy systems! If they want to connect to your service, they need to use modern browsers!
Your thoughts?
What do you think about this? Let us know in the comments!