First of all, let’s have a few moments of silence in remembrance of SSL now that SSL is officially dead.
Long live TLS!
That said, even though a lot of SAP customers are relying on HTTPS (TLS) to ensure the confidentiality of data in motion in their Fiori applications over public networks, there are still fundamental weaknesses in even TLS that make data disclosure possible in a man in the middle attack. Consider the attack scenario in the next section.
The conversation in a well-behaved man in the middle conversation to your Fiori Gateway Server (with, say, your local Starbucks WiFi hotspot as the man in the middle) should look something like the following:
The well-behaved man in the middle simply routes all requests to the server, without inspecting or modifying that traffic, and routes responses from the server back to the client.
Now, an attacker seeking to inspect that traffic could simply drop the request on the floor and forge a redirect – which would look something like the following:
This has the effect of forcing future communication to the Fiori Gateway Server to the unencrypted HTTP protocol, allowing the attacker to inspect all traffic to the NetWeaver Gateway unencrypted. An attacker would have the luxury of viewing payment details and other types of confidential data in clear text.
Most supported Fiori web browsers and the Fiori client will not warn the user of the change from HTTPS to HTTP – the user would need to pay close attention to the browser's encryption "lock" icons. Some browsers (think Chrome) will issue strong warnings that alert the user to the fact that the session is being downgraded to an HTTP session, but even then many users may err on the side of “getting things done” and ignoring any warning messages.
When measuring risk, it helps to remember that Risk = Impact * Likelihood. In the past, man-in-the-middle attack scenarios were considered esoteric or difficult to pull off - a low-likelihood scenario. Today, with the ubiquity of WiFi, this is no longer the case. In fact, an attacker with limited technical knowledge can buy a $100 Pineapple device to take advantage of this particular vulnerability. Given these attacks can be pulled off by unsophisticated users with minimal investment, the likelihood of this type of man-in-the-middle attack is orders of magnitude higher than it was even 5 years ago.
This said, there are several approaches SAP customers can take to address this risk when rolling out Fiori to devices on public networks to address this specific risk. These include:
There are several initiatives underway to address this scenario, all in various stages of adoption.
Unfortunately given the sheer number of internet-enabled servers and clients, I don’t see any of these making significant headway to addressing this issue internet-wide in a timely manner.
SSL is dead: https://www.ciso-central.org/transport-layer-security/ssl-is-dead-long-live-tls
OS/Browser combinations supported by Fiori: http://service.sap.com/sap/support/notes/1931218
Great blog on HTTP Strict Transport Security in SAP applications: http://scn.sap.com/community/labs/blog/2014/04/26/http-strict-transport-security-hsts
Listing of HSTS Supported Browsers: http://caniuse.com/#feat=stricttransportsecurity
Generic info on SAP Application Protection by Mocana: http://www.sap.com/pc/tech/mobile/software/solutions/emm/secure-apps.html
Blog on deprecating HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
5 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 |