Quotulatiousness

April 11, 2011

SSL is “just an illusion of security”

Filed under: Technology — Tags: , , , , — Nicholas @ 10:09

SSL (Secure Sockets Layer) is critically important to safe communications on the internet. It may also be “hopelessly broken“:

SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.

It’s hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.

“Right now, it’s just an illusion of security,” said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.”

Although SSL’s vulnerabilities are worrying, critics have reserved their most biting assessments for the business practices of Comodo, VeriSign, GoDaddy and the other so-called certificate authorities, known as CAs for short. Once their root certificates are included in Internet Explorer, Firefox and other major browsers, they can’t be removed without creating disruptions on huge swaths of the internet.

2 Comments

  1. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.”

    One could say the same about the deadbolt on my front door. Proof against the casual passer-by, barrier to a thief, bump in the road to a cop with a door breaker.

    Could be better, but it’s better than nothing.

    critics have reserved their most biting assessments for the business practices of Comodo, VeriSign, GoDaddy and the other so-called certificate authorities,

    Yeah, that chafes my hide every time I have to deal with SSL on my servers. I can self-sign a cert – anyone can – and it means about as much as if VeriSign does it.

    More perhaps, as it signals ‘I am thrifty and know what I’m doing and don’t want to waste money on krep’.

    But any visitors will get worrisome errors when they try to use SSL. Which turns them off and will keep them from coming back.

    Comment by Brian Dunbar — April 11, 2011 @ 11:48

  2. But any visitors will get worrisome errors when they try to use SSL. Which turns them off and will keep them from coming back.

    Yep. Even a 404 page will turn away the majority of people, never to return. And it’s unreasonable to expect them to educate themselves on the current state of the web (I’ve dealt with software developers who were nearly as naive about things outside their specific areas of concern as your great-aunt Maggie is about that there interwebby thing you want her to try out).

    Comment by Nicholas — April 11, 2011 @ 13:41

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress