Vulnerabilities / Threats
10/7/2009
02:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SSL Still Mostly Misunderstood

Even many IT professionals don't understand what Secure Sockets Layer does and doesn't do, leaving them vulnerable, new survey shows

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey.

Just what SSL does and doesn't do isn't clear to many users, and the way Websites implement it doesn't help: "The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle, who surveyed a cross-section of users -- technical and nontechnical -- and shared the results of his findings today during a panel presentation about SSL at the SecTor Conference in Toronto.

Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. "It's scary that people care so little about their passwords than they do about their credit card numbers," he says. "You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they're probably using it for online banking, too."

It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL.

Zusman, who spoke on Reguly's panel along with Robert "RSnake" Hansen of SecTheory and Jay Graver, lead engineer at nCircle Network Security, says it's not just the general consumer population who doesn't understand SSL, which encrypts a Web session and authenticates the identity of a Website. "It's still a challenge in the infosec community. I was doing a penetration test with a team last week, and the development team asked why we found all these vulnerabilities in their product when they were using SSL," he says.

More than half of the respondents don't know what Extended Validation SSL (EVSSL) is and how it differs from SSL, while 36 percent say they do. Interestingly, most of them are aware that SSL traffic can be sniffed without their knowledge.

Even so, nearly one-third say the only purpose of SSL is to encrypt their traffic so it can't be sniffed.

Reguly and Zusman say aside from a need for better user education about SSL, much of the problem lays with how Web developers deploy SSL. One respondent, for example, said SSL would be more effective if an invalid or expired SSL certificate blocked a user from visiting the site rather than offering click-through options. "It would create a lot of headaches, but would be very effective in nixing problems when invalid certs are in production and giving users the option to click-through and end up getting exploited," says Zusman, who is a senior consultant with the Intrepidus Group.

Another issue is that users become annoyed and eventually ignore SSL and browser security messages that appear when they hit a site with an invalid certificate, or a browser warns them of a potentially dangerous site, Reguly says. Nearly 50 of the survey's nontechnical respondents just clicked through security warnings without paying attention to them, he says.

Meanwhile, 51 percent of the survey respondents said they rely on browser error messages to alert them of flaws in Website security. And that's not what browsers technically do, Reguly says. "That actually shocked me that over 50 percent said this," he says. "This speaks to the misunderstanding people have about browsers [and SSL]," he says.

The challenge is that there's no simple way to deploy SSL. "It's not one click. It's a multistep process that involves configuration, time, and effort, and most don't want to invest that energy" to do it properly, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.