SSL Server Supports Weak Encryption for SSLv3, TLSv1 in PCI scans results
Recently, one of my clients ran PCI Scan for his web-site which is hosted on the LAMP environment. He find the below issues in the scans result page.
1) SSL Server Supports Weak Encryption for SSLv3, TLSv1
2) SSL Server Supports CBC Ciphers for SSLv3, TLSv1
3) SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1
[Resolved]: You need to do some configuration in https.conf file. Please add below rule in your https.conf file and restart apache will fix SSL Server Supports Weak Encryption for SSLv3, TLSv1 issue.
[Resolved]: You need to disable cipher suites using CBC ciphers to fix SSL Server Supports CBC Ciphers for SSLv3, TLSv1 issue.
[Resolved]: You need to disable cipher suites using MD5 based MAC algorithms to fix SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1 issue.
internet security using bullGuard internet security software.
When we are working with the internet and website then its required security of our personal computer, i know that this will not so important as it was in my life. i was not care on the security of the pc and because of that virus attach on my pc and i have to format my pc because its not start. virus, malware and spyware are most important to damage you pc. if you see any attach via virus, malware and spyware then do not take it easy, it will more harmful and you have no idea when its crash your computer.
Now, I use BullGuard Internet Security Software which is really easy to install and use. its keep my computer virus free, malware free and spyware free. i am using this software since 2 years and its really reduce your stress regarding the security issue. i recommend to this software because i use it and its light weight and not take more space on computer.
What is SQL Injection?
What is SQL injection attack?
When you are working with the SQL in your web-site then you need to careful on SQL injection, make sure that your programmer consider all SQL statements in that way that no one can hack your website using SQL injection. SQL injection is a technique used to hack your website, attacker use the non-validated input vulnerabilities and then pass it to SQL commands via a Web application or web-site for execution in the database. when any web application or web-site made by the programmer then attackers take advantage of that and pass the parameters in the SQL statement which is not done by the programmers, but they pass the parameters with the parameters set by the programmers, and because of that their parameters embed in SQL commands with the programmers parameters. On the result of this attacker/hackers can execute SQL queries/commands with their conditions on the database server through the Web application or web-site.
All programmers make a query strings using the SQL statement and the parameters, when they need parameters in the web application then they make the sql statement run time and then pass it to the database server. so when they collect their parameter at that time the attackers/hackers pass their parameters and because of that its joint in the SQL statement, this is knows as the SQL Injection. i will show you this with example.
SQL Injection Example:
suppose your site made in php and php programmer made the login screen and take username and password from the end user to login, in this case he wrote below code to make SQL statement.
$SQL = “SELECT * FROM QATRICKS WHERE usename='”.$_REQUEST[“username”].”‘ AND password='”.$_REQUEST[“password”].”‘”;
Here when php programmer collect information from $_REQUEST parameter then attackers pass like as below
USERNAME : php
PASSWORD : qatricks AND password=’php freelancer’ AND password=’patel’
Now in this case SQL statement made wrong because attackers pass parameters in the passwords fields.
I hope this should be clear on the SQL Injection, and if you are going to make your web-site then you need to careful on this and have to inform your programmer so he will be more careful on the SQL Injection.
security issues when you make your web-site
when you make your new web-site then you need to careful that which operating systems is installed on server where you host your web-site. almost all content management systems are not hosted on windows server and because of that attackers get more targets and wide number of potential websites to hack. your website is easily hacked if you lack it in phishing, poor registration/login systems, cross-site scripting (XSS), web-site logic flaws used in site are completely independent of the operating system.
use firewall to protect your web-site
firewalls is one of the most important tools of as web server which is control traffic of the server. all web setver will see the web request and its can nobe filtered. web application firewalls can assist in protecting known vulnerabilities and unusual traffic but cannot usually provide protection against business logic vulnerabilities, custom code vulnerabilities, valid use that corrupts data and zero day (new) attacks. firewall can used in temporarily filtering traffic from the server when a vulnerability is discovered, but need to be thought of as a temporary fix rather than a permanent repair. Your internal employee’s access to the website may not even pass through the same firewall, or have different rules, and you may be using internal data feeds which are not screened.
Hows your website secure when you use SSL for your website.
SSL fullform is Secure Socket Layer.
when we develop any web-site then we do the contract with the php programmer if your site in php and other developers as per we choose the scripting language for our web-site. all web-developer and software company follow some standards but if you do not define the document then security will be lack from your web-site. if there is less security in your web-site then hackers can easily hack your site, so web-security is required for your site.
SSL is used to transfer data in secure mode, secure socket layer is the protocol and when we use it in our web-site then data transmitted between server and user’s computer are encrypted. server use a valid, current and trusted secure sockets layer to transmit the data from user computer and server.
When you use ssl that does not means that your web-site is secure, ssl is one small part of the security and its use is apply any strong cipher when data is transmitted from serve to user and user to server. if you do not cover other security configuration for your web-site and ssl use weak ciphers then hacker can easily hack your web-site.
Defining PHP Security and It’s uses for website
PHP is open source and because of that its very popular and most of the people use php as a web programming language when they think to develop their own web-site. php provide highly flexible syntax which perform many functions during working flawless in html and scripting language. php is easy to learn for beginners php programmers, It also working well exceptionally when use open source, such as the Apache web server and MySQL database.
Many php programmers and php developers implement websites in php, but the issue is security and they do not consider the security during development of web-site. security is lack or we can say that insecure code run in the php even they do not develop the secure code. and most of hackers looking for the insecure code. as they found the insecure code then they are working on that and try to hack it. once they find the key point then its not hard to hack the web-site.
PHP security covers minimum programming errors, so you need to develop code with minimum errors and develop proper code in place to protect against possible vulnerabilities. it means in the code put 2 – 3 layers of protection in place to guard sensitive data which will help to protect against hackers. all Developers and programmers call some principle of redundant safeguarding Defense in Depth, and because of this its working as a defense against malicious attacks done by the hackers.