Vulnerabilities / Threats

10/7/2009
02:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SSL Still Mostly Misunderstood

Even many IT professionals don't understand what Secure Sockets Layer does and doesn't do, leaving them vulnerable, new survey shows

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey.

Just what SSL does and doesn't do isn't clear to many users, and the way Websites implement it doesn't help: "The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle, who surveyed a cross-section of users -- technical and nontechnical -- and shared the results of his findings today during a panel presentation about SSL at the SecTor Conference in Toronto.

Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. "It's scary that people care so little about their passwords than they do about their credit card numbers," he says. "You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they're probably using it for online banking, too."

It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL.

Zusman, who spoke on Reguly's panel along with Robert "RSnake" Hansen of SecTheory and Jay Graver, lead engineer at nCircle Network Security, says it's not just the general consumer population who doesn't understand SSL, which encrypts a Web session and authenticates the identity of a Website. "It's still a challenge in the infosec community. I was doing a penetration test with a team last week, and the development team asked why we found all these vulnerabilities in their product when they were using SSL," he says.

More than half of the respondents don't know what Extended Validation SSL (EVSSL) is and how it differs from SSL, while 36 percent say they do. Interestingly, most of them are aware that SSL traffic can be sniffed without their knowledge.

Even so, nearly one-third say the only purpose of SSL is to encrypt their traffic so it can't be sniffed.

Reguly and Zusman say aside from a need for better user education about SSL, much of the problem lays with how Web developers deploy SSL. One respondent, for example, said SSL would be more effective if an invalid or expired SSL certificate blocked a user from visiting the site rather than offering click-through options. "It would create a lot of headaches, but would be very effective in nixing problems when invalid certs are in production and giving users the option to click-through and end up getting exploited," says Zusman, who is a senior consultant with the Intrepidus Group.

Another issue is that users become annoyed and eventually ignore SSL and browser security messages that appear when they hit a site with an invalid certificate, or a browser warns them of a potentially dangerous site, Reguly says. Nearly 50 of the survey's nontechnical respondents just clicked through security warnings without paying attention to them, he says.

Meanwhile, 51 percent of the survey respondents said they rely on browser error messages to alert them of flaws in Website security. And that's not what browsers technically do, Reguly says. "That actually shocked me that over 50 percent said this," he says. "This speaks to the misunderstanding people have about browsers [and SSL]," he says.

The challenge is that there's no simple way to deploy SSL. "It's not one click. It's a multistep process that involves configuration, time, and effort, and most don't want to invest that energy" to do it properly, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Welcome to the pit of misery.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.