I came across an issue with a third party, where a daily data upload to them which we do for a number of customers stopped working.
It stopped working coinciding with us upgrading our internal tools which do the data upload to the latest version.
The issue was pretty straightforward. Where security is concerned, these tools will stop supporting older security protocols which have been "cracked".
And sure enough a quick analysis of the web site we upload to shows :-
Poor levels of security and it's right we don't support it. Our customers expect their data to actually be secure when we say it's being uploaded securely/
The web site shows the padlock if you browse to it. So, why am I concerned about it ?
Cryptography isn't new. It is as old as humans can write!
Over the years, Cryptography has been used to transfer messages securely - historically pioneered by the military.
So, for example, when the Romans wanted to send command to their generals, they send messengers with letters. These weren't written in plain Latin as if the messenger was intercepted by the enemy the message could be read!
The Romans used a sytem "Substitution" cipher - known as the Caesar Cipher. It's a simple process of just replacing letters in the alphabet with others, and then encoding the messages.
So a simple one would be to shift the letters three to the left.
So the phrase, "THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG" becomes "QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD"
Substitution ciphers are relatively easy to break using a technique called Frequency Analysis. It works on the basis that some words and letters are more used in language that others.. So you'd expect more "E"s in a sentence than "Z"s. So you can simply try out options until the sentence is readable.
Code breakers and Code makers have been at war with each other for two thousand years....
More and more different ways of encrypting have been developed and for the last few hundred years, encryption has involved an encryption key. Simply, a key is a code which is used to mathematically change the "free text" into it's encrypted version.
In more modern times, the maths involved to encrypt and decrypt are too complex for humans to do manually and machines have been used.
Enigma is probably the most famous mechanical encryption and decryption device known.
In principle, it was simple. It has a keyboard and a set of switches and plugs which are set in a certain way so when you type your sentence, an encrypted version is printed.
Using another machine set with the same code would be used to decrypt.
The enigma code isn't complex to crack - in theory, you can simply try every combination possible until you get a message back from a code that makes sense.
The problem was that the Enigma machine had 158,962,555,217,826,360,000 possible different combinations!
The Germans thought that this, and the fact that they changed the key every day made their code uncrackable.
Obviously, we know better and Enigma was cracked by a machine developed by Alan Turing and his team at Bletchley Park.
Modern encryption (such as that used on web sites and to encrypt documents) is in concept similar to the code used on Enigma. The math is different, but it's still a simple process of taking a numeric code sequence and using that in a mathematical equation to encrypt your text.
The key to security nowadays is the length of the key - you will see keys that are 1024 bits long or even longer.
For comparison for a 1024 bit key (as is in normal use today) there are 3800000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000001 different combinations! You thought the Enigma code was hard to crack! For all intents and purposes a modern encrypted file is almost impossible to decrypt without knowing the key.... But not impossible.
However, this now exposes another problem. If we want a message to be decrypted, we need to be able to share the key to decrypt it.
So, the Romans would send the key in a message every now and then or use cipher pads - with lists of keys used in sequence.
A "man in the middle" attack is simply where you intercept the key, read it and then send it on. The recipient won't know the key is compromised and will send and receive messages using the key.
In the "old days" this meant capturing the messenger with the keys, reading them , killing the messenger and sending someone else in his place to deliver the keys. You could then read any message that was sent using those keys (The Romans didn't often change the keys due to the pain in doing so).
In modern day cryptography (eg for web sites) there is a two-way exchange of keys (because messages are encrypted both ways using different keys as the keys are asymmetric - you can't decrypt a message with the same key you encrpt it with). If you can get in the middle of this key exchange in a man-in-the-middle attack then you literally have the keys to the kingdom and you can read everything going back and forth!
Breaking messages is still very much the thing. The prizes are huge for breaking keys - your online banking is protected by cryptography by above.
So, over the years as issues have been found with the security protocols, there have been updates to the way they work. Hence, if you look back at the image at the top, you will see that most web sites support lots of different types of methodology (TLS 1.0- TLS 1.3 in the example). TLS 1.0 and 1.1 for example have been shown to be able to be compromised by man in the middle style attacks and were superceded with TLS 1.2 and now 1.3 in 2008!
So, these days, using TLS 1.0 isn't really secure. We can read public documents on how to break the code and read the messages being transferred.
Hence why we no longer support it.
Find out whether Navigator is a good fit for your dealership. Spend 30 mins with one of our Consultants in a no pressure environment. Click the button to book a Zoom Call
Book a Discovery Call
.jpg)
