Web Encryption That Works

SSL technology isn't perfect, but it can be an effective security tool for your organization. Here are four tips for optimizing its performance
Avoid Mixed Content

Mixed content is when companies use SSL on one page within a website but serve up content on that page that isn't SSL-protected. That introduces gaps that can be exploited. Attackers can intercept unencrypted content and alter it for their purposes. If the unencrypted portion of the site can run scripts, hackers can carry out dangerous attacks, such as DNS poisoning attempts in which website traffic is diverted to the attackers' site.

Any time you have an SSL-secured HTTPS connection, you shouldn't have content pulled in from other places on your domain that is sent only over unprotected HTTP, says Nicholas Percoco, senior VP at Trustwave's SpiderLabs research division. "You want to make sure that all pages are over SSL and are tested," he says.

Similarly, make sure that all forms you have customers and other users submit use SSL, so that if, say, a customer clicks into a "Contact Us" link in the middle of an e-commerce transaction, there won't be a warning saying, "Part of the Web page you're browsing is unencrypted."

The mixed content issue is particularly a problem with Extended Validation SSL certificates, Trzupek says. EV SSL certificates are a level up from regular, and more commonly used, Domain Validation SSL certificates, which ask for minimal validation that you are the person who owns the rights to the domain to be secured by the SSL certificate. EV SSL certs cost more and require an extensive application process for site owners to prove they are who they say they are. Sites using EV SSL certificates have a green bar that shows up on their browser address bars to indicate they're EV SSL-protected. Regular Domain Validation SSL is indicated by a padlock.

If you put an EV certificate on a site and then include a JavaScript resource that's just SSL secured, that's going to downgrade the browser experience to normal SSL, Trzupek says. "A lot of organizations ... buy a wonderful EV certificate, put it on their marquee brand website, and the bar ain't turning green, and they can't figure out why."

Many certificate authorities have lowered prices on additional EV certificates once a company initially buys into EV SSL in order to lower the cost of deploying EV certificates across a site, Trzupek says. But it remains a problem because many website operators don't know to watch out for mixed content.

Vigilance is really the only way around the mixed content problem. Companies must have in place an extensive testing and quality-assurance process that ensures that mixed content isn't allowed in site and app development.

Tim Moses, director of advanced security at Entrust, typically sees two kinds of customers buying certificates today: First are those who want the marketing boost that comes from the trust indicator--either the green bar or the padlock--"and they'll do whatever it takes to get that indicator," he says. "And then there are the other site operators who really take their end users seriously and do whatever they can to protect them against attack."

So which is your company? If it's only after the marketing boost, be aware that just buying EV certificates won't fully secure your website. You must also consider how your SSL servers are configured, how keys are managed, how certificates are purchased and managed, and whether your site serves up mixed content. These steps are essential to taking control of your company's Web encryption.


Tim Moses, a director at the encryption vendor Entrust and chairman of the standards-setting Certificate Authority/Browser Forum, offers these missteps to watch for.

1. Unpatched servers, particularly on high-traffic sites.

2. Sensitive scripts and forms hosted on unsecured pages. Login pages, in particular, that aren't protected by SSL are vulnerable because they include user names and passwords.

3. Weak cipher suites that don't include the most up-to-date encryption technology.

4. Unsecure handling of private keys, including the use of email to share them among system administrators.

5. Serving secure and unsecure content on the same Web pages, letting attackers easily inject content.

6. Expired or otherwise invalid SSL certificates, since they can train people to ignore warnings.

7. Using domain validation certificates for e-commerce sites, rather than more secure extended validation certificates.

8. Having a certificate for www.example .com, but not, which users might type in instead.

9. Not ensuring that cookies are secured.

10. Copying keys and certificates to multiple servers, losing track of their location, and failing to anticipate expiration.