Why is this an issue?

TLS configuration of Google Cloud load balancers is defined through SSL policies. There are three managed profiles to choose from: COMPATIBLE (default), MODERN and RESTRICTED:

• The RESTRICTED profile relies only on secure cipher suites and should be used by applications that require to comply with the highest security standards.
• The MODERN profile includes additional cipher suites that present security weaknesses like using the SHA1 algorithm for signing.
• The COMPATIBLE profile offers the most common cipher suites and thus broader compatibility. Some of these use SHA1 or 3DES algorithms which are considered weak. Also, this profile includes cipher suites that rely on obsolete key-exchange mechanisms that don’t provide forward secrecy[https://en.wikipedia.org/wiki/Forward_secrecy] as a feature.

Noncompliant code example

resource "google_compute_ssl_policy" "example" {
  name            = "example"
  min_tls_version = "TLS_1_2"
  profile         = "COMPATIBLE" # Noncompliant
}

Compliant solution

resource "google_compute_ssl_policy" "example" {
  name            = "example"
  min_tls_version = "TLS_1_2"
  profile         = "RESTRICTED"
}

Resources

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
• SSL and TLS Deployment Best Practices - Use Secure Cipher Suites
• Google Cloud Load Balancing - Defining an SSL policy