Advice and Recommendations
Information is an essential value for research and teaching at our university and must therefore be adequately protected. Work and business processes are increasingly based on IT solutions. Thus, the security and reliability of information and communication technology is increasingly important, as is the trustworthy handling of information. Inadequately protected information represents a frequently underestimated risk factor.
As a central IT service provider, the IT Center is responsible for providing operational, cooperative and informational support to users of its services. The goal is the secure use of information and communication technologies. Security aspects should be taken into account as early as possible in the development and procurement of IT systems and applications, as well as in their operation.
A fundamental task in this regard is the appropriate education and sensitization of users, which the IT Center would like to fulfill with the following recommendations and regulations.
Handout for Cloud Use
Cloud services are ubiquitous and very easily accessible in the offerings of the IT industry. It is precisely because of this simple availability that it is indispensable to consider the purpose, type and scope of the intended use and, if necessary, to weigh the benefits against the need for protection of the data to be processed. One has to ask oneself what damage is caused if confidentiality, integrity or availability of the data are violated. Our Cloud Handbook (German only) provides an initial overview of relevant aspects of cloud use.
Use of Web Browsers
Depending on the platform used, users can choose between different web browsers. Cross-platform browsers are, for example, "Chrome" and "Firefox". Platform-specific e.g. "Safari" and "Edge". When using a web browser, data is usually also loaded from untrustworthy sources. This data may also contain malware (viruses, Trojans, etc.). Therefore, the selection of a suitable browser is of particular importance.
The German Federal Office for Information Security (BSI) recommends a minimum standard for secure web browsers (german only). According to this, the "Mozilla Firefox 68 Extended Support Release (ESR)" best meets the requirements of the BSI (german only).
The most important recommendation is to deactivate active content such as Java and Adobe Flash if possible and to always work with the latest browser versions only. Further details can be found on the website "BSI for citizens" (german only).
Recommendations for Administrators
We would like to point to a looming shortage in the configuration of many servers in the RWTH. It is about the settings for secure access to the Web, specifically the shortcomings of many certificates and outdated protocols. The hash algorithm SHA-1 is no longer considered secure enough. Therefore, certificates that still use SHA-1 are no longer considered reliable. Google has now begun to mark websites that use certificates with SHA-1 as no longer entirely reliable in new versions of the Chrome browser [1] [2]. This in turn may lead to uncertainty among our users. For this reason, we will exchange the IT Center certificates in the coming weeks and months. You are invited to bring your certificates and up to date too. Of course, this also applies to certificates in the context of other services. There are websites that help you to check if your server uses SHA-1 [3]. For more information you may visit for example osxdaily [4].
The second problem relates to SSLv3. Meanwhile, all current browsers work fine with the newer TLS protocols. The SSL protocols are outdated and have security vulnerabilities. For this reason, we turn SSL off completely on the servers of the IT Center and offer only TLS to access our services. We will not be able to change all the servers immediately, but we switch depending on the urgency and expected side effects. You can find instructions for testing the susceptibility and to switch off SSL in the web [6][8].
I would like to thank those who helped gather and evaluate the information. I would particularly like to mention Jens Hector, Bernd Kohler, Ekaterina Papachristou and Peter Steves.
Guido Bunsen
IT Manager Security im IT Center der RWTH
Sources:
[1] http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
[2] https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
[3] https://shaaaaaaaaaaaaa.com/
[4] http://osxdaily.com/2012/02/09/verify-sha1-hash-with-openssl/
[5] http://arstechnica.com/security/2012/10/sha1-crypto-algorithm-could-fall-by-2018/
[6] http://www.heinlein-support.de/blog/security/deaktivieren-sie-sslv3-apachepostfixdovecot-poodle-bug/
[7] http://www.heise.de/security/meldung/So-wehren-Sie-Poodle-Angriffe-ab-2424327.html