After all, you don’t have to use it.
Recently a leading expert was interviewed on topics involving data security and SSL. I feel that some of the statements made in that interview are misleading and need a little clarification (inline).
We’ve also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree?
I’m not convinced that SSL has a problem. After all, you don’t have to use it.
WTF? Maybe this is out of context.
If I log-on to Amazon without SSL the company will still take my money.
No, I just tested it. Amazon will not let you log in without https. Good for them!
The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line.
A MitM attack is different than passive eavesdropping. If you only needed to defend against a passive eavesdropper, that can be done with anonymous cryptography and you wouldn’t need the expense and complexity of maintaining PKI and the whole Certificate Authority industry. SSL/TLS is intended to provide protection from both kinds of attack.
But I’m not convinced that’s the most serious problem. If someone wants your financial data they’ll hack the server holding it, rather than deal with SSL.
Just because something isn’t the most serious problem in one scenario doesn’t mean it’s not a critical factor in the security equation. It may even be the most serious problem in some other scenario. SSL generally does its job much better than other components of the system, but that doesn’t mean problems with it should be tolerated.
But doesn’t SSL give consumers confidence to shop online, and thus spur e-commerce?
Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying ‘You’re safe’. SSL doesn’t matter. It’s all in the database. We’ve got the threat the wrong way round. It’s not someone eavesdropping on Eve that’s the problem, it’s someone hacking Eve’s endpoint.
There’s the old joke about the two hunters running from a bear. (In case you haven’t heard it, one of them notes with irony that the race is between the two of them, rather than between them and the bear.) While this is an insightful analogy in many situations, the analogy only holds when there is only one bear who will be satisfied after only one target. This is certainly not the case in data security where there is likely more than one attacker who likely has more than one objective.
When are we going to get past this skewed view that data security only has to do with e-commerce web servers and their databases? Sure, it’s a common and important scenario, but it’s not the defining scenario for any core internet protocol. Without a solid library of primitive operations that deliver on their stated guarantees, it’s just not possible to build the larger and more complex systems securely.
What about how mail servers talk to each other? What about how B2B data exchange systems work? How do these endpoint systems receive their software patches and anti-malware updates? How do electronic voting machines transmit their results? All of these systems and many more can use SSL/TLS as a integral part of their security architecture.
We mustn’t dismiss the critical importance of SSL/TLS simply because web apps are prone to SQL injections and users don’t seem to be able to type “https” consistently. Some systems actually do have careful and competent designers and are deployed and managed by careful and competent admins. We need to hold the highest standards for core protocols like SSL/TLS, because if these people can’t build secure systems on top of them, what hope does anyone else have?