Wednesday, August 23, 2006

Jetty Cipher Suite Handling

In the latest version of Jetty rc1 it appears that the method setCipherSuites was removed and replaced with excludeCipherSuites.

Cipher suites allow the web server to use different types of encryption. If you are allowing weak encryption on your web server - you'll want to fix this.

In the case of the latest version of Jetty now you have to think of and exclude every possible cipher suite instead of just specifying those you want to allow. This is very poor security.

The way to handle security is to first disallow everything, then specify the things you want to allow explicitly.

Microsoft has this in their top 10 application security problems list however they also do not follow this principle in regards to DCOM and RPC. Functions which are not required should always be disabled - especially those which can clearly be hacked, and administrators should be given the option to enable these things when needed.

In the case of Jetty I hope this was an oversight because this seems to be a well engineered application for the most part, however their use of certain non-standard third party tools does worry me at times. I hope they have checked every line of code inside and out.

Jetty is not the only organization doing this of course. I have written about many PHP frameworks which are on many more vulnerability lists!