HubSpot's certificate is getting flagged by a security tool for SWEET32

KSorensen7 — Wed, 06 Jul 2022 22:20:07 GMT

Our company is using HubSpot for our website and the certificate provided from hubspot is vulnerability to a SWEET32 attack. See https://sweet32.info/

This is a highvulnerability https://nvd.nist.gov/vuln/detail/CVE-2016-2183

Re: HubSpot's certificate is getting flagged by a security tool for SWEET32

kvlschaefer — Mon, 11 Jul 2022 19:49:24 GMT

Hi @KSorensen7,

Thanks for reaching out!

This has been already been mitigated by Cloudflare, which is documented toward the end of this page. For additional context, Cloudflare is our Content Delivery Network which is used to protect our websites and services from hackers and to speed up the performance of our customer’s websites).

I wanted to share this snippet from the linked website with you:

"A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild. Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner:

attacker must collect 32GB of data from a single TLS session
Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected

If you would like to test the protections built into the HubSpot platform using a fully-featured free trial, it is possible to test within the guidelines of our bug bounty program. For more info about HubSpot bug bounty and the guidelines, please visit https://bugcrowd.com/hubspot

Thank you,

Kristen

topic HubSpot's certificate is getting flagged by a security tool for SWEET32 in Tickets & Conversations

HubSpot's certificate is getting flagged by a security tool for SWEET32

Re: HubSpot's certificate is getting flagged by a security tool for SWEET32