Vulnerabilities / Threats
10/7/2009
02:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SSL Still Mostly Misunderstood

Even many IT professionals don't understand what Secure Sockets Layer does and doesn't do, leaving them vulnerable, new survey shows

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey.

Just what SSL does and doesn't do isn't clear to many users, and the way Websites implement it doesn't help: "The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle, who surveyed a cross-section of users -- technical and nontechnical -- and shared the results of his findings today during a panel presentation about SSL at the SecTor Conference in Toronto.

Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. "It's scary that people care so little about their passwords than they do about their credit card numbers," he says. "You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they're probably using it for online banking, too."

It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL.

Zusman, who spoke on Reguly's panel along with Robert "RSnake" Hansen of SecTheory and Jay Graver, lead engineer at nCircle Network Security, says it's not just the general consumer population who doesn't understand SSL, which encrypts a Web session and authenticates the identity of a Website. "It's still a challenge in the infosec community. I was doing a penetration test with a team last week, and the development team asked why we found all these vulnerabilities in their product when they were using SSL," he says.

More than half of the respondents don't know what Extended Validation SSL (EVSSL) is and how it differs from SSL, while 36 percent say they do. Interestingly, most of them are aware that SSL traffic can be sniffed without their knowledge.

Even so, nearly one-third say the only purpose of SSL is to encrypt their traffic so it can't be sniffed.

Reguly and Zusman say aside from a need for better user education about SSL, much of the problem lays with how Web developers deploy SSL. One respondent, for example, said SSL would be more effective if an invalid or expired SSL certificate blocked a user from visiting the site rather than offering click-through options. "It would create a lot of headaches, but would be very effective in nixing problems when invalid certs are in production and giving users the option to click-through and end up getting exploited," says Zusman, who is a senior consultant with the Intrepidus Group.

Another issue is that users become annoyed and eventually ignore SSL and browser security messages that appear when they hit a site with an invalid certificate, or a browser warns them of a potentially dangerous site, Reguly says. Nearly 50 of the survey's nontechnical respondents just clicked through security warnings without paying attention to them, he says.

Meanwhile, 51 percent of the survey respondents said they rely on browser error messages to alert them of flaws in Website security. And that's not what browsers technically do, Reguly says. "That actually shocked me that over 50 percent said this," he says. "This speaks to the misunderstanding people have about browsers [and SSL]," he says.

The challenge is that there's no simple way to deploy SSL. "It's not one click. It's a multistep process that involves configuration, time, and effort, and most don't want to invest that energy" to do it properly, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.