Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

Consistent Advice

2nd September 2019

A while back I wrote a post titled Informed Advice. This post is similar but I attempt to raise another issue which we as an industry tend, sometimes, to do when it comes to giving security advice. And that is we sometimes are not always consistent with our message. For me none so more is the advice that SMS/Text MFA is OK(ish) yet supporting TLSv1 is terrible. Now the purpose of this post is not to highlight the technical details about the 2. But merely point out some of the inconsistencies.

First, let me start off with the poll which I created on Twitter, whether people felt that TLSv1 was secure:

To me the result is pretty definitive, the vast majority feel that TLSv1 is in secure. I then created a similar poll to see if people thought that Text/SMS MFA is secure:

While most felt that it is insecure, many still felt that is secure (relatively perhaps). Additionally there was a lot more discussion around the topic.

So let's take a step back and look at the facts. Firstly TLSv1 does not have any known exploitable vulnerabilities today. There was BEAST, but this has been mitigated in client side browsers (this required a large number of requests as well as JavaScript to exploit). However we do know some possible exploits against SMS/Text MFA such as SIM swapping/hijacking or compromises of the mobile operator's network. In fact, to my knowledge, there have been zero compromises as a result of TLSv1 (if there are please let me know). However there have been several known compromises which had Text/SMS MFA as a means of protection:

And perhaps the most recent example of a SIM swapping attack, took place this past week where the attackers managed to get access to the phone number of Jack Dorsey, the CEO of Twitter. In fact all it takes now, in the UK thanks to OfCom, is a single text to perform a sim swap.

The point I'm trying to make is that while I've heard phrases such as "it's better than nothing" (which it is) being said about SMS MFA, I've never once heard the same for TLSv1. So here we have something which has known vulnerabilities which have been exploited being touted as OK(ish), yet something with no known vulnerabilities being deemed as bad and needs to be removed. And thus the point of this post. It's not a consistent message. And this is vital in my opinion, otherwise we will find ourselves in the position we are in today where we have the "look for the green padlock".

Also as a side note, much  like we need to move away from the aging TLSv1 protocol, the same logic should be applied to the likes of SMS/Text MFA. There are much better alternatives out there both from a usability point of view, as well as from a security point of view. Granted cost is perhaps a factor, but hopefully with higher adoption, that should help drive costs down. Also perhaps companies could provide them as part of their service, a value added service so to speak. I've seen some services even offering MFA via email.

One more thing to note, and a positive thing. While there was a lot of discussion happening on the Text/SMS MFA poll, it was constructive. And I think that this is equally important. To me this helps drive innovation and helps to ensure that we are on the right track and making the right decisions, by incorporating input from many directions and ideas.

View Comments