Questions:
- Do you remember when SSLv3 was a thing?
- Do you remember when everyone disabled SSLv3 on their websites?
- Do you remember how loads of people running Oracle database version 11.2.0.2 and lower cried because all their database callouts failed?
- Do you remember how they were all forced to patch to 11.2.0.3 or 11.2.0.4 to get support for TLS?
- Do you remember thinking, I’ll never let something like that happen again?
I’m so sick of saying this. I know I sound like a broken record, but it’s like I’m living in the movie Groundhog Day.
There is no such thing as standing still in tech. It’s like swimming upstream in a river. It takes work to remain stationary. The minute you stop for a rest you are actually moving backwards. I’m sure your next response is,
“But Tim, if it ain’t broke, don’t fix it!”
The minute you stop patching and upgrading, your application is already broken. Yesterday you had an up-to-date system. Today you don’t. You have stopped, but the world around you continued to move on, and sometimes what they do will have a direct impact on you.
The security folks have been complaining about TLSv1.0 and TLSx1.1 for ages, but we are now in the position where the world and their dog are switching off those protocols, and the “we don’t need no stinking patches or upgrades” brigade are pissing and moaning again.
You knew this was going to happen. You had plenty of warning. It is your fault things are now failing. The bad decisions you made have led you to this point, so stop blaming other people. IT IS YOUR FAULT!
Where do you go from here?
First things first, start planning your patch cycles and upgrade cycles. That isn’t a “one time and done” plan. That is from now until forever. You’ve got to keep your server operating systems and software up to date.
If you can’t cope with that, then move to a cloud service that will patch your shit for you!
I know upgrades aren’t necessarily a quick fix, as they need some planning, so you will need some sticking plasters to get your through the immediate issues. Things to consider are:
- Your load balancers and/or reverse proxies can hide some of your crap from the outside world. You can support TLSv1.2+ between the client and the reverse proxy, then drop down to a less secure protocol between your reverse proxy and your servers.
- You can do a similar thing with database callouts to the outside world. Use an internal proxy between you and the external resource. The connection between your proxy and the outside world will speak on TLSv1.2+, but the callout from the database to your proxy will speak using a protocol your database can cope with.
These are not “fixes”. They are crappy sticking-plaster solutions to hide your incompetence. You need to fix your weak infrastructure, but these will buy you some time…
I don’t really care if you think you have a compelling counter argument, because I’m still going to scream “WRONG” at you. If you don’t think patching and upgrades are important, please quit your tech job and go be incompetent somewhere else. Have a nice life and don’t let the door hit you on the ass on your way out!
Cheers
Tim…
PS. You know this is going to happen again soon, when the world decides that anything less than TLSv1.3 is evil.
