On 6/14/19 5:00 AM, Bob Hood wrote:
1. By itself, is the implicit use of OpenSSL by the QSslSocket class on the
server side sufficient to secure data communications between both endpoints?
The short answer is no. Sadly, it is what you will find in most places.
Neither TLS nor SSL are secure nor can they ever be. They are
architecturally flawed. You can pull down software from The Dark Web
which when run on a hokey little $80 2-in-1 sold by Walmart can, in 15
minutes or less, unpackage anything sent via SSL and caught via most
forms of sniffing. In well under an hour using the same hokey laptop it
can penetrate pretty much any SSL/TLS secured access point.
You can even get free OpenSource packages to "evaluate" your solution.
https://tools.kali.org/information-gathering/tlssled
The real question is what are you securing?
A chat engine? Who cares? People on those things routinely give out
their mother's maiden name, name of their first pet and the closest
relative living farthest from them. In the immortal words of Ron White
"You can't fix stupid."
The level of security must go up with the level of value. The flip side
of this is the openness of access must go down.
You cannot have anything called "secure" on the Internet accessible via
a standard browser. This is why many banks and brokerage firms are
moving to 2-stage connection verification and custom browser plug-ins.
2-stage is really (*^)(*&)ing annoying, but if you have an account
enabled for wire transfer or any other Internet access which could pull
money out, it really is the way to go. The 2-stage is you do your normal
username/password/verification question on each login, then you prompt
them to choose email or phone for an N-digit one time code. Once they
enter it you drop a short life cookie (sometimes one connection, other
times one day, never more than a week) which lets it work for a little
while.
The 2-stage is the industry finally admitting SSL/TLS are
architecturally flawed and can never be made secure.
Moving up in security you create a plug-in for popular browsers
(Firefox/Chrome/Opera) on popular platforms (Linux/Android/forget about
security on Windows). After a user has created an account with you they
must be on a supported platform and install the browser plug-in to continue.
Honestly, you can make it a plug-in or you can make it a stand alone
app. If all you are using is SSL/TLS it isn't secure, you just protected
their password a touch better.
The plug-in/app works old school, like you are used to. Data is both
shuffled and encrypted before transmission. If you are using only one
encryption method with only one seed for the life of the connection,
consider yourself hacked before they installed the app/plug-in.
You can use standard 3rd party encryption libraries, but what you cannot
have are any two packets encrypted with both the same seed and
encryption method. Yeah, they are going to sniff your packets. Yeah,
there are all kinds of free tools on the Internet to peel that SSL right
off there. After that, they have to start from ground zero with every
packet. The biggest flaw in old school data transmissions was the
single-method-single-key for entire file or comm session. Evil doers
only had to crack one packet for the rest of them to be easy as knocking
over dominoes. Some of the older encryption libraries even left
tell-tale signatures in the encrypted packet so at a glance they could
tell what method was used. Making it an exercise of just finding the
proper seed. When you have a million PC bot-net at your disposal it
generally takes more time to distribute the work than it does to get the
answer.
Before anyone thinks "Oh, it's only email," think again. In order to
gain access to much larger and more secure companies, hackers are
targeting the emails of their mom & pop service providers.
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
This is a reality which may cause some good intentioned laws, forcing
major companies to assign a certain percentage of outside business to
small/minority owned companies (mom & pop basically). These companies do
not have the skills or the checkbooks to properly secure computers and
their network. They are increasingly becoming a liability. At some point
firms the size of Target and up will be financially ahead to just write
a check to the small companies and get their services from a major firm
which can secure everything.
Sad but true. The intention was "Hey, be a good corporate citizen. Give
some of the small jobs like servicing your HVAC and plumbing to local
small companies." It made sense and built good will. It was a small
risk. They either could or couldn't do the job. You could manage for
that. You can't manage for them being the entry point of a breach which
costs north of $50 million to clean up.
Just my 0.002 cents.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
