Everything in AWS is an API, is it secure?

EDIT: 2020-08-01 SHA-1 Windows content to be retired in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers.

EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is so effective they are going to block all TLS 1.3 traffic. Researchers have a work around but China will surely adapt.

EDIT: 2020-08-20 Microsoft enables TLS 1.3 by default in latest Windows 10 builds

EDIT: 2020-08-29 On October 15 Microsoft will no longer support TLS 1.0/1.1 for any Office365 product. Also all linux software in the Microsoft repos will disable these insecure protocols.

We all know that everything in AWS is an API right?
Some people I speak to, as a consultant, hear this common cliche but not many consider the implications of this infamous characteristic of AWS.

All of the services in AWS internally communicate over the same APIs that customers also use, and non-customers alike, as all access by default is public.
This public API has a name; Query Request HTTP API, it's not common knowledge and is the lowest common methods for how all things happen in AWS.

Where is the Query Request API used?

Everywhere.

You simply cannot use AWS without interacting with the Query Request API, and AWS itself cannot operate without it;

  • Services that intercommunicate. e.g.
    Lambda > CloudWatch
    IAM > CloudTrail
    CloudFormation deploying things
    everything uses it
  • Official SDKs; like botocore for python, all SDKs use it
  • Terraform by HashiCorp used boto3 but pivoted to the Query Request API

Everything uses the Query Request API!

How does the Query Request API work?

AWS implement the RESTful API model on top of HTTP, with both TLS and plain HTTP. endpoints available.
Though it is almost impossible to be strictly RESTful and remain functionally usable, AWS provide an exceptionally close alignment to RESTful designs.

There are multiple ways to craft a HTTP request to interact with the Query Request API, any HTTP client, even the web browser itself, is capable.

Authentication

The common supported authentication method of the Query Request API is called Signature Version 4. My investigations into EC2 and Lambda has uncovered that AWS still uses (and therefore supports) Signature Version 2.

Both Sigv2 and Sigv4 implement hash-based message authentication code (HMAC), which relies on an out-of-band pre-shared secret with the client.
This secret also enables the server to derive a client identity.

The AWS implementation of HMAC uses their Secret Key as the secret, which corresponds to their Key Id as the identity.
Clients perform a special procedure called request signing, essentially giving you a data integrity guarantee no different from what TLS offers.
Signing is complex, so many developers prefer to use an SDK instead of understanding and performing the signing procedure themselves.

Are the SDKs secure?

Not exactly.
Using SDKs often make it difficult, even impossible, to customise your interactions with the Query Request API and optimise for security.

SDKs by-design will abstract complexities away from the developers.
Framework primarily prioritise developer experience, reduced lines of code, and low barrier of learning to get started.
Developers who never move down the stack below the SDK need to understand their security configuration, and equally the frameworks don't consider security configurations (such as protocol and ciphers) important to developer.
This means the SDK often optimise functionality for the widest user environment, support backwards-compatibility for old technology, and are slow to expose new security features to users if they are not requesting them.

I have identified various SDKs security defaults to be insufficient in some client environments. A good observation is they typically don't allow insecure downgrades in protocol or weak cipher negotiation (which are typically controlled by priority order server-side) but common to all SDKs I investigated, none allowed the client to specify the desired ciphers (aligned to the customers requirements) that inform the server negotiation procedure.

Is the AWS Secret Key secure?

To obtain a pre-shared secret, AWS customers can generate Key Id and it's Secret Key from an IAM User, or obtain a token issued via STS. Most AWS Resources also provide you a built-in key/secret pair representing the identity of the AWS Resource belonging to you rather than one of your user identities.

In terms of security of the Secret Key itself, it would normally be important for an attacker to try figuring out what makes up the value of the Secret Key, to learn how to produce a Secret Key in a predictable reproducible way, to learn what it itself contains within.
But for HMAC which is completely random, there is only a perceived value in figuring this out.
The true value in the HMAC secret is that you perform actions as the identity it belongs to - skipping any authentications checks.
By having the Secret Key AWS assumes you are both authenticated and authorised to perform all action associated with that identity - limited only by IAM policy and various resource policies that may be in place.

So yes, Secret Key's are secure. Keep them safe, they are necessary, powerful, and radioactive.

It is surprising Signature Version 2 is still supported because it implements HMAC-SHA1, which was deprecated in 2013 after being broken and proven to be insecure the year prior.

But isn't HMAC still considered secure?

Yes Sigv4 HMAC is still considered safe today, but Sigv2 uses SHA1.

The first research demonstrating flaws with SHA1 appeared in 2005, various researchers improved it over the past decade. The advancement announced in 2012 and published in 2013 prompted the industry to officially announce it deprecation.

Essentially HMAC uses a signature algorithm no different from TLS, AWS signature algorithm choices are;

AWS Auth name Hashing Signature Status
Sigv2 HMAC-SHA1 Deprecated 2012
Sigv4 HMAC-SHA256 First flaw was CVE-2018-10844 effecting AWS

Basically the reason for SHA1 deprecation was due to the hash uses Merkle–Damgård padding, which is fundamentally vulnerable to a length extension attack and cannot be fixed. Just consider the computing power in 2005 when SHA1 was published as broken, when the proofs emerged in 2012 is still an extremely long time ago for technology.
We are now in 2020.

HMAC-SHA256 has been subjected to various attacks, so it is an insufficient signature algorithm choice for AWS to continue supporting. It is not immune to hash collisions either, so this alone should be reason enough to deprecate it.

This is the time where we need to simply point out that as an industry, it is well known that the SHA-based signatures are problematic at best, and generally considered harmful.
I wonder why AWS has chosen to ignore this?

As a recommendation for AWS, the AES-GCM signature algorithm is already prolific, it would be a good choice.
It is an widely accepted and scrutinised choice, with many sources available for implementation. A certain video conferencing product who Amazon recently announced partnership with, has relatively much fewer resources, has announced a 90-day plan to implement this as 1 small feature from a long list of security improvements.

The Query Request API is secure right?

To answer that let's define secure.

Most security professionals will agree on at least 3 characteristics, but i'll provide another 3 that can be more important

  • Confidential in most cases yes, but not always.
    Read about TLS confidentiality myths, basically enforcing ciphers that apply Forward Secrecy is the best we have for Query Request API confidentiality, and that only applies where confidentiality can be enforced by TLS of course
  • Integrity yes, in all cases by virtue of both TLS1.3 and HMAC-SHA256
  • Available for any service to have at least 99.99% SLA, the API must also
  • Non-repudiation yes, HMAC-SHA256 provides identity and TCP/HTTP includes teh additional metadata
  • Known vulnerabilities exist however, so this is undesired.
  • Customer Secure Configurations are possible if you use the Query Request API directly rather than the SDKs.

AWS do offer us many security features - few are default secure.

Testing

Not too technical? That's fine, Qualys has a pretty decent test online here that gives similar results.

Let's gather some data using https://testssl.sh

testssl --quiet --mode parallel --standard --protocols -c --header --vulnerable --sneaky --phone-out --ids-friendly --nodns min --warnings off --hints --wide --grease --pfs --show-each --server-defaults --server-preference --client-simulation --color 0 https://calculator.s3.amazonaws.com/index.html

produces;

 Start 2020-08-29 22:20:32        -->> 52.216.186.211:443 (calculator.s3.amazonaws.com) <<--

 rDNS (52.216.186.211):  (instructed to minimize DNS queries)
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing for server implementation bugs 

 No bugs found.

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     offered
 Obsolete: SEED + 128+256 Bit CBC cipher       offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK), ciphers follow (client/browser support is important here) 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            any        AESGCM      256      TLS_AES_256_GCM_SHA384                             not a/v
 x1303   TLS_CHACHA20_POLY1305_SHA256      any        ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       not a/v
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
 xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              available
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 available
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
 xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
 x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
 xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
 xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
 xc0a3   DHE-RSA-AES256-CCM8               DH         AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8                     not a/v
 xc09f   DHE-RSA-AES256-CCM                DH         AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       not a/v
 x6b     DHE-RSA-AES256-SHA256             DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                not a/v
 x6a     DHE-DSS-AES256-SHA256             DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                not a/v
 x39     DHE-RSA-AES256-SHA                DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   not a/v
 x38     DHE-DSS-AES256-SHA                DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA                   not a/v
 xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH       Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384         not a/v
 xc073   ECDHE-ECDSA-CAMELLIA256-SHA384    ECDH       Camellia    256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384       not a/v
 xc4     DHE-RSA-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256           not a/v
 xc3     DHE-DSS-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256           not a/v
 x88     DHE-RSA-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              not a/v
 x87     DHE-DSS-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA              not a/v
 xc043   DHE-DSS-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384               not a/v
 xc045   DHE-RSA-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384               not a/v
 xc049   ECDHE-ECDSA-ARIA256-CBC-SHA384    ECDH       ARIA        256      TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384           not a/v
 xc04d   ECDHE-RSA-ARIA256-CBC-SHA384      ECDH       ARIA        256      TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384             not a/v
 xc053   DHE-RSA-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384               not a/v
 xc057   DHE-DSS-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384               not a/v
 xc05d   ECDHE-ECDSA-ARIA256-GCM-SHA384    ECDH       ARIAGCM     256      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384           not a/v
 xc061   ECDHE-ARIA256-GCM-SHA384          ECDH       ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384             not a/v
 xc07d   -                                 DH         CamelliaGCM 256      TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384           not a/v
 xc081   -                                 DH         CamelliaGCM 256      TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384           not a/v
 xc087   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384       not a/v
 xc08b   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384         not a/v
 x1301   TLS_AES_128_GCM_SHA256            any        AESGCM      128      TLS_AES_128_GCM_SHA256                             not a/v
 x1304   TLS_AES_128_CCM_SHA256            any        AESCCM      128      TLS_AES_128_CCM_SHA256                             not a/v
 x1305   TLS_AES_128_CCM_8_SHA256          any        AESCCM8     128      TLS_AES_128_CCM_8_SHA256                           not a/v
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              available
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH       AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            not a/v
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              available
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            not a/v
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 available
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               not a/v
 xa2     DHE-DSS-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256                not a/v
 x9e     DHE-RSA-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                not a/v
 xc0ae   ECDHE-ECDSA-AES128-CCM8           ECDH       AESCCM8     128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                 not a/v
 xc0ac   ECDHE-ECDSA-AES128-CCM            ECDH       AESCCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM                   not a/v
 xc0a2   DHE-RSA-AES128-CCM8               DH         AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8                     not a/v
 xc09e   DHE-RSA-AES128-CCM                DH         AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       not a/v
 x67     DHE-RSA-AES128-SHA256             DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                not a/v
 x40     DHE-DSS-AES128-SHA256             DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256                not a/v
 x33     DHE-RSA-AES128-SHA                DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   not a/v
 x32     DHE-DSS-AES128-SHA                DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA                   not a/v
 xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH       Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256         not a/v
 xc072   ECDHE-ECDSA-CAMELLIA128-SHA256    ECDH       Camellia    128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256       not a/v
 xbe     DHE-RSA-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256           not a/v
 xbd     DHE-DSS-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256           not a/v
 x9a     DHE-RSA-SEED-SHA                  DH         SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA                      not a/v
 x99     DHE-DSS-SEED-SHA                  DH         SEED        128      TLS_DHE_DSS_WITH_SEED_CBC_SHA                      not a/v
 x45     DHE-RSA-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              not a/v
 x44     DHE-DSS-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA              not a/v
 xc042   DHE-DSS-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256               not a/v
 xc044   DHE-RSA-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256               not a/v
 xc048   ECDHE-ECDSA-ARIA128-CBC-SHA256    ECDH       ARIA        128      TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256           not a/v
 xc04c   ECDHE-RSA-ARIA128-CBC-SHA256      ECDH       ARIA        128      TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256             not a/v
 xc052   DHE-RSA-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256               not a/v
 xc056   DHE-DSS-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256               not a/v
 xc05c   ECDHE-ECDSA-ARIA128-GCM-SHA256    ECDH       ARIAGCM     128      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256           not a/v
 xc060   ECDHE-ARIA128-GCM-SHA256          ECDH       ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256             not a/v
 xc07c   -                                 DH         CamelliaGCM 128      TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256           not a/v
 xc080   -                                 DH         CamelliaGCM 128      TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256           not a/v
 xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
 xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v

 Elliptic curves offered:     prime256v1 secp384r1 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA 
    TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA 
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256
               AES256-GCM-SHA384 AES128-SHA AES128-SHA256 AES256-SHA AES256-SHA256 DES-CBC3-SHA 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "server name/#0" "EC point formats/#11" "renegotiation info/#65281"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        082DF68EE9C69315BEBF72079B3810FD / SHA1 3FE05B486E3F0987130BA1D4EA0F299539A58243
                              SHA256 272FC283BF3EDC52F6F3387A9C5247A20C5D7176FE81EC3EABA4B3A8E57F8674
 Common Name (CN)             *.s3.amazonaws.com 
 subjectAltName (SAN)         *.s3.amazonaws.com s3.amazonaws.com 
 Issuer                       DigiCert Baltimore CA-2 G2 (DigiCert Inc from US)
 Trust (hostname)             Ok via SAN wildcard (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   194 >= 60 days (2019-11-09 11:00 --> 2021-03-12 23:00)
 # of certificates provided   2
 In pwnedkeys.com DB          not in database
 Certificate Revocation List  http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl, not revoked
                              http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl, not revoked
 OCSP URI                     http://ocsp.digicert.com, not revoked
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    (instructed to minimize DNS queries)
 Certificate Transparency     yes (certificate extension)


 Testing HTTP header response @ "/index.html" 

 HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                AmazonS3
 Application banner           --
 Cookie(s)                    (none issued at "/index.html")
 Security headers             Cache-Control no-cache no-store must-revalidate
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     likely not vulnerable (OK), timed out
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/index.html" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Check failed, unexpected result , run testssl -Z --debug=1 and look at /tmp/testssl.TpvX5W/*tls_fallback_scsv.txt
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=272FC283BF3EDC52F6F3387A9C5247A20C5D7176FE81EC3EABA4B3A8E57F8674 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     
 TLS1:
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 available
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
 xc022   SRP-DSS-AES-256-CBC-SHA           SRP        AES         256      TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA               not a/v
 xc021   SRP-RSA-AES-256-CBC-SHA           SRP        AES         256      TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA               not a/v
 xc020   SRP-AES-256-CBC-SHA               SRP        AES         256      TLS_SRP_SHA_WITH_AES_256_CBC_SHA                   not a/v
 x91     DHE-PSK-AES256-CBC-SHA            DHEPSK     AES         256      TLS_DHE_PSK_WITH_AES_256_CBC_SHA                   not a/v
 x39     DHE-RSA-AES256-SHA                DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   not a/v
 x38     DHE-DSS-AES256-SHA                DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA                   not a/v
 x37     DH-RSA-AES256-SHA                 DH/RSA     AES         256      TLS_DH_RSA_WITH_AES_256_CBC_SHA                    not a/v
 x36     DH-DSS-AES256-SHA                 DH/DSS     AES         256      TLS_DH_DSS_WITH_AES_256_CBC_SHA                    not a/v
 x88     DHE-RSA-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              not a/v
 x87     DHE-DSS-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA              not a/v
 x86     DH-RSA-CAMELLIA256-SHA            DH/RSA     Camellia    256      TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA               not a/v
 x85     DH-DSS-CAMELLIA256-SHA            DH/DSS     Camellia    256      TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA               not a/v
 xc019   AECDH-AES256-SHA                  ECDH       AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA                 not a/v
 x3a     ADH-AES256-SHA                    DH         AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA                   not a/v
 x89     ADH-CAMELLIA256-SHA               DH         Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA              not a/v
 xc00f   ECDH-RSA-AES256-SHA               ECDH/RSA   AES         256      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA                  not a/v
 xc005   ECDH-ECDSA-AES256-SHA             ECDH/ECDSA AES         256      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA                not a/v
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       available
 xc036   ECDHE-PSK-AES256-CBC-SHA          ECDHEPSK   AES         256      TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA                 not a/v
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                  not a/v
 x95     RSA-PSK-AES256-CBC-SHA            RSAPSK     AES         256      TLS_RSA_PSK_WITH_AES_256_CBC_SHA                   not a/v
 x8d     PSK-AES256-CBC-SHA                PSK        AES         256      TLS_PSK_WITH_AES_256_CBC_SHA                       not a/v
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 available
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               not a/v
 xc01f   SRP-DSS-AES-128-CBC-SHA           SRP        AES         128      TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA               not a/v
 xc01e   SRP-RSA-AES-128-CBC-SHA           SRP        AES         128      TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA               not a/v
 xc01d   SRP-AES-128-CBC-SHA               SRP        AES         128      TLS_SRP_SHA_WITH_AES_128_CBC_SHA                   not a/v
 x33     DHE-RSA-AES128-SHA                DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   not a/v
 x32     DHE-DSS-AES128-SHA                DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA                   not a/v
 x31     DH-RSA-AES128-SHA                 DH/RSA     AES         128      TLS_DH_RSA_WITH_AES_128_CBC_SHA                    not a/v
 x30     DH-DSS-AES128-SHA                 DH/DSS     AES         128      TLS_DH_DSS_WITH_AES_128_CBC_SHA                    not a/v
 x9a     DHE-RSA-SEED-SHA                  DH         SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA                      not a/v
 x99     DHE-DSS-SEED-SHA                  DH         SEED        128      TLS_DHE_DSS_WITH_SEED_CBC_SHA                      not a/v
 x98     DH-RSA-SEED-SHA                   DH/RSA     SEED        128      TLS_DH_RSA_WITH_SEED_CBC_SHA                       not a/v
 x97     DH-DSS-SEED-SHA                   DH/DSS     SEED        128      TLS_DH_DSS_WITH_SEED_CBC_SHA                       not a/v
 x45     DHE-RSA-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              not a/v
 x44     DHE-DSS-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA              not a/v
 x43     DH-RSA-CAMELLIA128-SHA            DH/RSA     Camellia    128      TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA               not a/v
 x42     DH-DSS-CAMELLIA128-SHA            DH/DSS     Camellia    128      TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA               not a/v
 xc018   AECDH-AES128-SHA                  ECDH       AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA                 not a/v
 x34     ADH-AES128-SHA                    DH         AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA                   not a/v
 x9b     ADH-SEED-SHA                      DH         SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA                      not a/v
 x46     ADH-CAMELLIA128-SHA               DH         Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA              not a/v
 xc00e   ECDH-RSA-AES128-SHA               ECDH/RSA   AES         128      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA                  not a/v
 xc004   ECDH-ECDSA-AES128-SHA             ECDH/ECDSA AES         128      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA                not a/v
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       available
 xc035   ECDHE-PSK-AES128-CBC-SHA          ECDHEPSK   AES         128      TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA                 not a/v
 x90     DHE-PSK-AES128-CBC-SHA            DHEPSK     AES         128      TLS_DHE_PSK_WITH_AES_128_CBC_SHA                   not a/v
 x96     SEED-SHA                          RSA        SEED        128      TLS_RSA_WITH_SEED_CBC_SHA                          not a/v
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                  not a/v
 x07     IDEA-CBC-SHA                      RSA        IDEA        128      TLS_RSA_WITH_IDEA_CBC_SHA                          not a/v
 x94     RSA-PSK-AES128-CBC-SHA            RSAPSK     AES         128      TLS_RSA_PSK_WITH_AES_128_CBC_SHA                   not a/v
 x8c     PSK-AES128-CBC-SHA                PSK        AES         128      TLS_PSK_WITH_AES_128_CBC_SHA                       not a/v
 x21     KRB5-IDEA-CBC-SHA                 KRB5       IDEA        128      TLS_KRB5_WITH_IDEA_CBC_SHA                         not a/v
 x25     KRB5-IDEA-CBC-MD5                 KRB5       IDEA        128      TLS_KRB5_WITH_IDEA_CBC_MD5                         not a/v
 xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH       3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA                not a/v
 xc008   ECDHE-ECDSA-DES-CBC3-SHA          ECDH       3DES        168      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA              not a/v
 xc01c   SRP-DSS-3DES-EDE-CBC-SHA          SRP        3DES        168      TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA              not a/v
 xc01b   SRP-RSA-3DES-EDE-CBC-SHA          SRP        3DES        168      TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA              not a/v
 xc01a   SRP-3DES-EDE-CBC-SHA              SRP        3DES        168      TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA                  not a/v
 x16     EDH-RSA-DES-CBC3-SHA              DH         3DES        168      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                  not a/v
 x13     EDH-DSS-DES-CBC3-SHA              DH         3DES        168      TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA                  not a/v
 x10     DH-RSA-DES-CBC3-SHA               DH/RSA     3DES        168      TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA                   not a/v
 x0d     DH-DSS-DES-CBC3-SHA               DH/DSS     3DES        168      TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA                   not a/v
 xc017   AECDH-DES-CBC3-SHA                ECDH       3DES        168      TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA                not a/v
 x1b     ADH-DES-CBC3-SHA                  DH         3DES        168      TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                  not a/v
 xc00d   ECDH-RSA-DES-CBC3-SHA             ECDH/RSA   3DES        168      TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA                 not a/v
 xc003   ECDH-ECDSA-DES-CBC3-SHA           ECDH/ECDSA 3DES        168      TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA               not a/v
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      available
 x93     RSA-PSK-3DES-EDE-CBC-SHA          RSAPSK     3DES        168      TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA                  not a/v
 x8b     PSK-3DES-EDE-CBC-SHA              PSK        3DES        168      TLS_PSK_WITH_3DES_EDE_CBC_SHA                      not a/v
 x1f     KRB5-DES-CBC3-SHA                 KRB5       3DES        168      TLS_KRB5_WITH_3DES_EDE_CBC_SHA                     not a/v
 x23     KRB5-DES-CBC3-MD5                 KRB5       3DES        168      TLS_KRB5_WITH_3DES_EDE_CBC_MD5                     not a/v
 xc034   ECDHE-PSK-3DES-EDE-CBC-SHA        ECDHEPSK   3DES        168      TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA                not a/v
 x8f     DHE-PSK-3DES-EDE-CBC-SHA          DHEPSK     3DES        168      TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA                  not a/v
 xfeff   -                                 RSA        3DES        168      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA                 not a/v
 xffe0   -                                 RSA        3DES        168      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA                 not a/v
 x63     EXP1024-DHE-DSS-DES-CBC-SHA       DH(1024)   DES         56,exp   TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA            not a/v
 x15     EDH-RSA-DES-CBC-SHA               DH         DES         56       TLS_DHE_RSA_WITH_DES_CBC_SHA                       not a/v
 x12     EDH-DSS-DES-CBC-SHA               DH         DES         56       TLS_DHE_DSS_WITH_DES_CBC_SHA                       not a/v
 x0f     DH-RSA-DES-CBC-SHA                DH/RSA     DES         56       TLS_DH_RSA_WITH_DES_CBC_SHA                        not a/v
 x0c     DH-DSS-DES-CBC-SHA                DH/DSS     DES         56       TLS_DH_DSS_WITH_DES_CBC_SHA                        not a/v
 x1a     ADH-DES-CBC-SHA                   DH         DES         56       TLS_DH_anon_WITH_DES_CBC_SHA                       not a/v
 x62     EXP1024-DES-CBC-SHA               RSA(1024)  DES         56,exp   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA                not a/v
 x09     DES-CBC-SHA                       RSA        DES         56       TLS_RSA_WITH_DES_CBC_SHA                           not a/v
 x1e     KRB5-DES-CBC-SHA                  KRB5       DES         56       TLS_KRB5_WITH_DES_CBC_SHA                          not a/v
 x22     KRB5-DES-CBC-MD5                  KRB5       DES         56       TLS_KRB5_WITH_DES_CBC_MD5                          not a/v
 xfefe   -                                 RSA        DES         56       SSL_RSA_FIPS_WITH_DES_CBC_SHA                      not a/v
 xffe1   -                                 RSA        DES         56       SSL_RSA_FIPS_WITH_DES_CBC_SHA                      not a/v
 x14     EXP-EDH-RSA-DES-CBC-SHA           DH(512)    DES         40,exp   TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA              not a/v
 x11     EXP-EDH-DSS-DES-CBC-SHA           DH(512)    DES         40,exp   TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA              not a/v
 x19     EXP-ADH-DES-CBC-SHA               DH(512)    DES         40,exp   TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA              not a/v
 x08     EXP-DES-CBC-SHA                   RSA(512)   DES         40,exp   TLS_RSA_EXPORT_WITH_DES40_CBC_SHA                  not a/v
 x06     EXP-RC2-CBC-MD5                   RSA(512)   RC2         40,exp   TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5                 not a/v
 x27     EXP-KRB5-RC2-CBC-SHA              KRB5       RC2         40,exp   TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA                not a/v
 x26     EXP-KRB5-DES-CBC-SHA              KRB5       DES         40,exp   TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA                not a/v
 x2a     EXP-KRB5-RC2-CBC-MD5              KRB5       RC2         40,exp   TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5                not a/v
 x29     EXP-KRB5-DES-CBC-MD5              KRB5       DES         40,exp   TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5                not a/v
 x0b     EXP-DH-DSS-DES-CBC-SHA            DH/DSS     DES         40,exp   TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA               not a/v
 x0e     EXP-DH-RSA-DES-CBC-SHA            DH/RSA     DES         40,exp   TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA               not a/v

 VULNERABLE -- but also supports higher protocols (possible mitigation)  TLSv1.1 TLSv1.2

 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Running client simulations (HTTP) via sockets 

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 4.4.2                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 9.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 10.0 (native)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Chrome 74 (Win 10)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Chrome 79 (Win 10)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Firefox 66 (Win 8.1/10)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Firefox 71 (Win 10)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 IE 6 XP                      No connection
 IE 8 Win 7                   TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 8 XP                      TLSv1.0   DES-CBC3-SHA                      No FS
 IE 11 Win 7                  TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 17 (Win 10)             TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Opera 66 (Win 10)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Safari 12.1 (iOS 12.2)       TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Safari 13.0 (macOS 10.14.6)  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 6u45                    TLSv1.0   AES128-SHA                        No FS
 Java 7u25                    TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.1.1d (Debian)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Thunderbird (68.3)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)

 Done 2020-08-29 22:26:19 [ 349s] -->> 52.216.186.211:443 (calculator.s3.amazonaws.com) <<--

Which shows us;

  • TLS1.0 and 1.1 are still supported, with a few noticeable ciphers we can exploit for over a decade
  • Vulnerable to SWEET32 (CVE-2016-2183, CVE-2016-6329) which has some trivial exploits online for the script kiddies to run without learning much more than how to open a terminal window..
  • no OSCP at all, not stabled or the CA enforcement of the must staple flag in the cert.
  • Valid for 60 days, meaning we have a very wide chance to wait for IP churn to provide a window to do a DNS version of domain take over.
  • Session Side-Jacking seems like a promising attack vector too, but requires further investigation than we have done here
  • best for last, those CBC ciphers are a great target to test some very well known padding related attack vectors considering the internet has pretty much gotten rid of CBC ciphers between 2013-2015.

If i can spend a whole 15mins and next to zero technical effort to learn this, and I am not even slightly considered a motivated attacker, or an attacker of any description. What do you think can happen if there is 1 human out there on planet earth targeting your data? Amazon's security won't stop them (clearly), and you have no way to configure Amazon to protect yourself. I guess we can hope that the name Amazon is a deterrent and you're safe in the expanding sea of customers, but the news cycles about S3 breaches tells a very different story about the deterrent quality of an North American corporate to the rest of the world.. You decide, it's your threat model, your risk posture - not mine.

Conclusion

While AWS offer many security features, they allow insecure and deprecated protocol downgrades to TLS 1.0, and support deprecated signature algorithms for their API authentication.

These backwards-compatibility decisions and continued use of deprecated security features are open to attackers who will utilise anything available, they don't stick to the best offered security options.

Subscribe to Christopher D. Langton

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe