6 Things That Stink About SSL
Users might not care to trust the very mechanism that's supposed to provide online trust.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2f460b504dbeb3c0/64f0dcedaee48c7291c68557/SSLSucks_7.jpg?width=700&auto=webp&quality=80&disable=upscale)
Remember SSLStrip? Remember THC-SSL-DOS? Remember when DigiNotar was breached by attackers who issued more than 500 counterfeit SSL certs? That's just a few of the successful hacks that have already ruptured the system that so much Internet security depends upon... and there will be more.
Then again, none of this would be a problem if we simply didn't expect so much from SSL and rely upon it so heavily. So maybe SSL isn't the problem. Maybe we are.
SHA-1, once thought to be uncrackable, was cracked seven years ago, but according to Netcraft's recent SSL survey, more than 98% of all SSL certificates in use on the web are still using SHA-1 signatures. Although certificate authorities are no longer issuing new certs that use the completely pulverized MD5 cryptographic algorithm, there are still some MD5 certs out there that will be in use until they expire.
Browsers stop a user in their tracks to declare "There is a problem with this site's certificate" or "This connection is untrusted." They may even use all caps, boldface, and exclamation points to emphasize the danger. Some users, no doubt, wisely click "get me out of here" or "click here to close this webpage." However, historically, most users hastily click "I know the risks," "continue anyway," or "yeah, yeah, whatever, just take me to my site, you dumb browser." Any security tool that can be entirely overruled by one casual click by an average user has problems.
One cannot lay all the blame for SSL failures on SSL itself -- it may be flawed applications and implementations that are truly at fault. The poster child for this is Heartbleed, which is actually a flaw in the OpenSSL application, not in an SSL algorithm. But who cares? Users will be less concerned with where to point the finger and more concerned about the fact that Heartbleed exposes SSL to man-in-the-middle attacks -- the very thing SSL's supposed to prevent.
SSL is becoming more popular among attackers as a way to hide their tracks. For example, a report released by Palo Alto Networks last month showed that some ZeuS variants use SSL to hide command-and-control traffic and sneak it past security tools. They also found that POSRAM (the BlackPOS variant behind the Target breach) used SSL to move information around and steal it through FTP.
SSL will create a secure connection between a user and a website, to ensure that the user is indeed communicating with the site, and not a malicious man in the middle. What SSL won't do is ensure that the website itself isn't malicious to begin with.
Although criminal groups might be wary of giving certificate authorities their true identities, they could set up a front business for the purpose of buying an SSL cert for their phishing site. They could even get an EV-SSL certificate (because the "extended validation" process isn't all that extensive). Most users see the "https" and the green browser window and assume that they're safe... but there's no guarantee.
When Heartbleed came along, some people in the security community were alarmed. Many others, however, weren't terribly concerned, because, after all, SSL was never perfect and we shouldn't be surprised anyway.
Perfect or not, we still use it... a lot.
SSL (Secure Sockets Layer) is one of the most important components of Internet security, and the most significant online trust mechanism, essential to online shopping, banking, and socializing.
Yet, the very mechanism we rely on to provide trust is, itself, untrustworthy. Here are a few reasons why...
When Heartbleed came along, some people in the security community were alarmed. Many others, however, weren't terribly concerned, because, after all, SSL was never perfect and we shouldn't be surprised anyway.
Perfect or not, we still use it... a lot.
SSL (Secure Sockets Layer) is one of the most important components of Internet security, and the most significant online trust mechanism, essential to online shopping, banking, and socializing.
Yet, the very mechanism we rely on to provide trust is, itself, untrustworthy. Here are a few reasons why...
Remember SSLStrip? Remember THC-SSL-DOS? Remember when DigiNotar was breached by attackers who issued more than 500 counterfeit SSL certs? That's just a few of the successful hacks that have already ruptured the system that so much Internet security depends upon... and there will be more.
Then again, none of this would be a problem if we simply didn't expect so much from SSL and rely upon it so heavily. So maybe SSL isn't the problem. Maybe we are.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024