22 August 2016

SSL is mostly just a false sense of security

Unless you live in a cave somewhere, you’ll be aware that SSL (and by extension TLS) has had a rough life. For a start, there has been a long series of critical flaws in the various incarnations of the protocol, as well as the common implementations, like OpenSSL.

However, it doesn’t stop there. Even on the rare occasions where we are passing through the eye of the storm, and there are no known protocol and implementation flaws, SSL still consistently fails to offer any kind of real-world security due to the way it has been configured. Being as it is, complex and fiddly, there are literally dozens of bad choices that can be made when selecting SSL features at development or configuration time. And what’s worse, many common products are shipped with insecure features enabled by default, or a quick look through their support forums will show recommended settings that actively disable key parts of the SSL security model.

For example, one of those key components is the way that SSL uses certificates to authenticate one or both ends of a connection. Now, assuming the trust model with the certificate authority isn’t compromised in some way (which happens far too frequently) each end of the connection will use the certificate to ensure that it is communicating with who it intends. That is of course if the developer or systems administrator didn’t switch this functionality off because it was fiddly to make work reliably. Ooops.

The truth of the matter is that with certificate validation switched off, SSL is pretty much worthless, as anyone who can eavesdrop on your connection can now also use a man-in-the-middle approach to gain access to the data inside.

How much of a problem are misconfigurations really? A couple of stats for you:

  • as of today, the Trustworthy Internet Movement shows that of the top 1m web sites, 57% have inadequate SSL security [1], most of which is down to misconfiguration; 
  • a google search for “disable ssl certificate check” shows 500k hits from sysadmins and developers busily looking for ways to switch the functionality off [2].

The truth of the matter is that the biggest threat to your SSL isn’t a bunch of faceless hackers, but is instead sitting right now in your IT department. And what’s worse is that you probably think they’re doing a great job.

References


  1. https://www.trustworthyinternet.org/ssl-pulse/
  2. https://www.google.co.uk/search?q=disable+ssl+certificate+check

No comments:
Subscribe to: Posts (Atom)