{"id":4092,"date":"2017-02-27T22:37:57","date_gmt":"2017-02-28T04:37:57","guid":{"rendered":"https:\/\/justinparrtech.com\/JustinParr-Tech\/?p=4092"},"modified":"2017-02-27T22:37:57","modified_gmt":"2017-02-28T04:37:57","slug":"a-quick-and-dirty-way-to-get-rid-of-insecure-protocols","status":"publish","type":"post","link":"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/","title":{"rendered":"A Quick and Dirty Way to Get Rid of Insecure Protocols"},"content":{"rendered":"<p><strong>Problem<\/strong>:\u00a0 You&#8217;ve got some <strong>10-year-old code<\/strong> running on a <strong>12-year-old platform<\/strong> that only supports TLS 1.0, and other <strong>&#8220;insecure&#8221; protocols<\/strong> that are <strong>deprecated or soon will be<\/strong>.<\/p>\n<p><strong>Solution:<\/strong>\u00a0 Reverse Proxy<\/p>\n<p><!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#introduction\" >Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#the-insecure-protocols-landscape\" >The Insecure Protocols Landscape<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#the-case-for-older-code\" >The Case for Older Code<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#hopefully-you-implemented-a-broker-tier\" >Hopefully, You Implemented a Broker Tier<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#it-aint-broke-dont-touch-it\" >It Ain&#8217;t Broke, Don&#8217;t Touch It<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#just-port-your-code\" >Just Port Your Code<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#just-update-your-middleware\" >Just Update Your Middleware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#switch-to-cloud-cots\" >Switch to Cloud \/ COTS<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#lets-talk-about-reverse-proxy\" >Let&#8217;s Talk About Reverse-Proxy<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#f5-application-delivery\" >F5 \/ Application Delivery<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#proxy-module\" >Proxy Module<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#configure-a-transparent-web-proxy\" >Configure a Transparent Web Proxy<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/a-quick-and-dirty-way-to-get-rid-of-insecure-protocols\/#conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"introduction\"><\/span>Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let&#8217;s not discuss how you got here (yet).\u00a0 But, you&#8217;re here.\u00a0 You&#8217;re running old code on an old platform that would require hundreds or thousands of staff effort hours to upgrade.<\/p>\n<p>Your platform only speaks SSLv3 (already deprecated) and TLS 1.0 (mostly deprecated), and you just got a notification from your business partner that they are dropping all support for TLS 1.0 and 1.1, to coincide with MS Windows Vista&#8217;s End of Life date (4\/11\/2017), as many companies are already planning to do.<\/p>\n<p>So what do you do?<\/p>\n<p><strong>Set up a reverse proxy.\u00a0<\/strong><\/p>\n<p>It&#8217;s not as difficult as it sounds, and it will allow you some runway to resolve your <strong>&#8220;technical debt&#8221;<\/strong>, which is the fashionable term for <strong>&#8220;getting rid of your really old crap, and replacing it with something modern<\/strong>&#8220;.<\/p>\n<p>Acting like a translator, a reverse proxy sits in the middle, accepting the older, incoming SSL \/ TLS connection from your &#8220;legacy&#8221; platform, and creating a new &#8220;modern&#8221; SSL \/ TLS connection to the real destination endpoint.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-4099\" src=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/Reverse-Proxy-600x297.png\" alt=\"\" width=\"600\" height=\"297\" srcset=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/Reverse-Proxy-600x297.png 600w, https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/Reverse-Proxy-300x149.png 300w, https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/Reverse-Proxy-768x380.png 768w, https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/Reverse-Proxy.png 1020w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>In the diagram above, we can see that an older application can&#8217;t make a connection to a modern endpoint.\u00a0 Using a reverse-proxy, the proxy allows an incoming connection using older protocols, and initiates an outbound connection using modern protocols.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-insecure-protocols-landscape\"><\/span>The Insecure Protocols Landscape<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the last few years, we&#8217;ve seen the deprecation of:<\/p>\n<ul>\n<li>SSLv3 &#8211; once the defacto SSL standard<\/li>\n<li>MD5 &#8211; a once-legendary hashing algorithm, MD5 can be cracked in minutes, jeopardizing the authenticity of any signed packet or message<\/li>\n<li>SHA-1 &#8211; A perfect demonstration of what people with too much time and resources can do to disrupt the lives of the rest of us, Google has publicly-demonstrated that it can arbitrarily crack a SHA-1 hash (at a cost of $1M, I might add)<\/li>\n<li>RC4 &#8211; A venerable public-key cipher has been demonstrated to be weak under certain, specific conditions.<\/li>\n<li>3DES &#8211; Although there is no known publicly-available crack for 3DES, it has been deprecated since 2007.<\/li>\n<li>TLS 1.0 &#8211; Like its cousing SSLv3, TLS 1.0 has publicly fallen due to a vulnerability that can be exploited under a specific, narrow set of conditions.<\/li>\n<\/ul>\n<p>As time passes, our ciphers, hashes, key exchange mechanisms, and security protocols come under direct fire until they are smashed or broken.<\/p>\n<p>Modern computer &#8220;security&#8221; depends on limited computing capabilities.\u00a0 Conversely, Moore&#8217;s law necessitates that all such security mechanisms will be breakable, due to the imminent increase in computing power over time.<\/p>\n<p>So, in summary, anything that was 100% secure 10 years ago, is only about 25% secure today.<\/p>\n<p>Welcome to the future.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-case-for-older-code\"><\/span>The Case for Older Code<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Every line of code is an investment.\u00a0 It takes time (and money) to write the code, check it, test it, and then qualify it.\u00a0 Then, it takes teams of people, weeks of time to promote your code in to production.\u00a0 And, there&#8217;s always the inherent risk that your code will completely blow up in production, causing an outage, downtime, loss of revenue, or reputational risk.<\/p>\n<p>It&#8217;s easy to say, &#8220;hey, you should update your platform!&#8221;, but that might be a lot more complex and costly than it first appears.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"hopefully-you-implemented-a-broker-tier\"><\/span>Hopefully, You Implemented a Broker Tier<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If you implemented a <a href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/your-application-should-include-a-broker-tier\/\">broker tier<\/a>, you might be in good shape!<\/p>\n<p>A broker tier allows you to support a variety of interfaces using small, replaceable code modules, called &#8220;brokers&#8221;.<\/p>\n<p>If your platform includes a broker tier, you&#8217;re in luck!\u00a0 With a few hundred lines of code (minimal investment), you can write a new broker to support the modern protocols, without having to change your application&#8217;s main code modules.<\/p>\n<p>Also, this is essentially a reverse proxy!<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"it-aint-broke-dont-touch-it\"><\/span>It Ain&#8217;t Broke, Don&#8217;t Touch It<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The initial coding investment was made years ago.\u00a0 Other than support for new protocols and standards, this widget has been working flawlessly in production for years, and there&#8217;s no reason to touch it.<\/p>\n<p>Often, coding a new widget (beyond the investment) results in reduced reliability, and unpredictable behavior.\u00a0 Even if you hire developers to &#8220;clean code&#8221; to the original specification, sometimes it takes YEARS to find all the flaws and simply get back to the point where you started with the OLD code.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"just-port-your-code\"><\/span>Just Port Your Code<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Anyone who has &#8220;ported&#8221; code knows that it&#8217;s not that easy.\u00a0 Everything from data type differences to library function variations are waiting in the wings to make your code-porting-project costly and unreliable.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"just-update-your-middleware\"><\/span>Just Update Your Middleware<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In theory, managed code can simply run on updated middleware.\u00a0 You might not even have to recompile.<\/p>\n<p>In practice, however, upgrading your middleware platform can be a nightmare.\u00a0 Between major releases, there are often major structural changes that result in &#8220;the old way&#8221; being deprecated in favor of &#8220;the new way&#8221;.\u00a0 So, before you know it, you&#8217;re in the middle of a code-porting project, more than a middleware upgrade project.<\/p>\n<p>In addition, each major version of your favorite middleware has its own &#8220;characteristics&#8221; that may result in unpredictable behavior or lack of reliability.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"switch-to-cloud-cots\"><\/span>Switch to Cloud \/ COTS<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Maybe there is a Cloud widget, or maybe there is a &#8220;Commercial, Off-The-Shelf&#8221; widget that does exactly what you&#8217;re doing today.<\/p>\n<p><strong>The customization paradox:\u00a0<\/strong> You need customization to support your business.\u00a0 Customization needs to be completely re-implemented between major platform versions, and thus customization COSTS your business.<\/p>\n<p>Rapid evolution is the hallmark of &#8220;the cloud&#8221;.\u00a0 Unfortunately, this means that any commercial, third-party library (cloud or COTS) is going to require constant maintenance, in order to keep your platform current.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"lets-talk-about-reverse-proxy\"><\/span>Let&#8217;s Talk About Reverse-Proxy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As mentioned above, a reverse-proxy allows your OLD CODE to talk to NEW PLATFORMS, by sitting in the middle.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"f5-application-delivery\"><\/span>F5 \/ Application Delivery<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Also known as a &#8220;load balancer&#8221;, application delivery allows you to follow specific rules for specific client connections.<\/p>\n<p>If you&#8217;re lucky enough to use F5 Networks Application Delivery Controllers (ADC), then you have the answer at your fingertips.<\/p>\n<p>F5 has the unique capability to establish a &#8220;front-end&#8221; and &#8220;back-end&#8221; SSL session, and the F5 can perform pattern matching or re-writing on anything between the two.<\/p>\n<p>By simply configuring a &#8220;modern&#8221; SSL profile, you allow the F5 to use modern protocols and ciphers to connect to any endpoint you wish.<\/p>\n<p>Then, configure a VIP on your local network, whose pool is a single node consisting of the &#8220;real&#8221; destination endpoint.<\/p>\n<p>The final step is to configure your application to point to the VIP rather than the real endpoint, and no one will know the difference.<\/p>\n<p>When the application platform opens a connection to the ADC&#8217;s VIP, it allows the use of older protocols.\u00a0 The ADC then manages the outbound connection to the &#8220;real&#8221; endpoint, using the modern SSL profile, supporting modern ciphers and protocols.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"proxy-module\"><\/span>Proxy Module<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Like a broker tier, writing a proxy module is the second-easiest option!<\/p>\n<p>Install a &#8220;modern&#8221; managed code instance (perhaps *gasp* on MODERN hardware), and write a tiny proxy module that accepts an inbound connection, while forwarding the data to a new, configurable outbound connection.<\/p>\n<p>The managed code platform &#8220;handles&#8221; the nuances of modern protocols and ciphers automatically.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"configure-a-transparent-web-proxy\"><\/span>Configure a Transparent Web Proxy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Using <a href=\"http:\/\/www.squid-cache.org\/\">Squid<\/a>, or a similar proxy, you can set up a simple VM (Virtual Machine), acting as a squid server, that allows the application to make outbound calls, while Squid breaks the request apart, and makes its own connection to the endpoint.<\/p>\n<p>Best case, if your platform is proxy-aware, it can simply point to the Squid VM.<\/p>\n<p>If not, squid can be configured as a &#8220;transparent proxy&#8221;, so that the platform and application don&#8217;t even know that Squid is involved.<\/p>\n<p>Squid can then be configured to make its own connection to the real endpoint.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Reverse-proxy is a cheap and easy way to preserve the original code investment and reliability of long-lived code modules that happen to be running on deprecated platforms.<\/p>\n<p>This approach won&#8217;t last forever, but it buys a few years to develop and debug a new strategy.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Problem:\u00a0 You&#8217;ve got some 10-year-old code running on a 12-year-old platform that only supports TLS 1.0, and other &#8220;insecure&#8221; protocols that are deprecated or soon will be. Solution:\u00a0 Reverse Proxy<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"class_list":["post-4092","post","type-post","status-publish","format-standard","hentry","category-good-design-bad-design"],"_links":{"self":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4092","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/comments?post=4092"}],"version-history":[{"count":9,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4092\/revisions"}],"predecessor-version":[{"id":4105,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4092\/revisions\/4105"}],"wp:attachment":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/media?parent=4092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/categories?post=4092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/tags?post=4092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}