SynaMan, PCI Compliance and SSL Vulnerability Scan Ratings
PCI Compliance and SynaMan Online File Sharing
NOTE: The latest SynaMan distribution does not have this issue because it ships with Java 1.8 and an enhanced set of key types. This article is only relevant for versions of SynaMan using Java 1.6.
In the search of online sharing, security has become increasingly important. With all the malicious attacks such as, iCloudgate and other hacking scandals, fewer users feel safe with their personal data online Further, if you're a professional company who needs to secure and share client's sensitive data a digital security breach is just as compromising and rebuilding your reputation can be costly.
Enter PCI compliance. This set of standards is one to help others trust that you have taken the necessary steps to make sure your online presence is safe for others to use. For complete documentation, please see the following link:
The biggest question is "How does my site stack up against these standards and which requirements does it fulfill?" Even more so, how do I test my site against PCI compliance? There are literally hundreds of sites out there that allow you to simply type in a domain name and press 'Submit' for the results. So I did submitted my SynaMan on a particular domain and received a grade of C, F being the worst score and A+ being the best score. Why?
The thing is, this scanning a server for PCI compliance is extremely difficult and error prone. Its not an easy task to carry out and carry out well when there are literally dozens if not hundreds of different types of web servers out there on the net. What happens in the background is pretty simple in fact. There are several scripted version tests compared to a list of the latest security patches and updates available. If your server doesn't comply you'll get warnings and a lowered grade.
The two main things on my list to fix are as follows:
* Support the latest TLS
* Secure renegotiation - increase accepted/used cyphers
Supporting The Latest TLS in SynaMan
This problem can be solved by upgrading to JDK 1.8.
Adding more cyphers to the key listThis is done by adding the following line in $INSTALL_DIR\config\server.properties file.
ssl.cipher.list=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Important: The above lines must appear in a single line. It is very likely email readers will wrap this line into multiple lines.
If you do not see a file called server.properties in the config folder, create it. Otherwise, paste this line at the end.
After these fixes, my SynaMan passed with an 'A-' from the online PCI vulnerability scan. This is great since major sites like Apple, Microsoft and even Wells Fargo pass with the same score. If you need more help securing your instance of Syncrify or SynaMan, the support department at Synametrics can help.