Encryption implementation issues are, in my experience, some of the most commonly reported findings during penetration tests. Whilst they may not always be quite as scary as seeing "SQL Injection" or "Stored Cross-Site Scripting" in a report, their ubiquity merits some discussion.
We broadly find the most often encountered issues fall under three categories:
- Outdated Encryption Protocol Support
- Certificate Issues
- Weak Cipher Suites
How are these three categories linked and what do they do to keep my data safe?