Information Security and Network Awareness

Hurricane Labs

Subscribe to Hurricane Labs: eMailAlertsEmail Alerts
Get Hurricane Labs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: SSL Journal, Security Journal, Secure Cloud Computing

Blog Feed Post

SSL Is NOT Your Friend -- or Is It?

SSL is fast and getting faster all the time

Folks who know me know one thing about me for certain, I am a conflicted individual. On the one hand I detest encryption as a security mechanism and on the other I LOVE encryption as a privacy mechanism. In the same day, nay, sometimes in the same hour I can argue for and against SSL and sometimes to the same person! I guess it helps to be able to have conflicting opinions on things but it gets confusing so I thought I'd do a quick post on why SSL is both good and bad. Away we go:

SSL should never be used a security mechanism on its own, unfortunately the traditional uses often do but it is simply not designed for that. When you read on a website "our site is 100% secure because we use industry grade encryption" then know you are reading a falsehood. This is something that has spread throughout the web like a cold spreads through a preschool. It is simply untrue that encrypting something makes it secure. Stop the madness!

Various implementations of SSL have had some pretty nasty vulnerabilities but all software does but I list it as a con again because few people understand what the traditional use of SSL is for so they lack a basic knowledge of how severe an exploit of it can be. This usually means that patching gets pushed off as does proper configuration (weak ciphers anyone?) so I cast this con under 'user education'. SSL users need to be more involved and get a better understanding of it this thing they're using but the same can be said of a lot of technologies.

One of the biggest not really discussed cons of SSL is the fact that it is encrypted. If someone is attacking your site via SSL and that's the only security mechanism you're using you won't likely detect that attack with network IDS, etc. Only after the fact would you detect the attack. This is one of the best examples of the need to defend "in depth" that there is. I list it as a con to SSL only if you're convinced encrypting your traffic secures it. In this scenario SSL is doing its job.

SSL and really all encryption have their proper places, mostly as privacy mechanisms. Basically I present to you a certificate that says I am who I say I am and a "neutral" third party can say "yes, yes he is who he says he is". Then we proceed to have a private chat or exchange of some type. All things in their proper place and this is the proper place for SSL. It is for privacy of communication not really the security of that communication.

SSL is fast and getting faster all the time. This means that encrypting your private data is coming with less and less performance hits than it did in the past.

It is the right thing to do with private transactions and messages. Privacy is a good thing despite what you keep reading about Facebook.

Just to head off the commenters who say "but but but what about authentication and certificates, etc", this post is only dealing with the traditional "front door" SSL used on banking websites, login forms, etc. I know a lot of my security professional friends are saying "duh Bill we know this" but this is based on several conversations I've had with clients THIS WEEK and it's only Wednesday! The confusion about the correct operational use of SSL is still out there.

EDIT: Just one other note I wanted to add. If you are going to use SSL for it's correct benefits then understand this important point. You are establishing a pact with your users, a pact that says "this is just between you and me and no one else." The inference of such a pact should include you keeping up your end of the bargain. So don't use self-signed certificates or let your certificates expire. This will lead your users to believe you are violating the pact they have with you and you are.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.