The fallacy of Secure Sockets Layer (SSL) -- it's something not many people talk about but in reality it has skewed our view of Web security. So, just how secure are our Web sites and e-commerce applications? Well, if you use SSL, according to popular belief, your Web site and its data are indeed secure.
We see bold statements on Web site privacy/security policies, like "This Web site is secured by 128-bit encryption." Or, there may even be a graphical link to a certificate authority further "proving" that Web security is taken seriously.
Is it just me, or does it seem like the marketing machine is, yet again, leading consumers and business professionals to believe that everything is safe online as long as data in transit is encrypted and you have some assurance that the Web site you're connecting to is who it claims to be?
But it shouldn't stop there. Interestingly, I often get the same story from developers, DBAs and others involved in Web security: "We use SSL -- it's how we secure our site and our data. It's how we stay compliant and out of trouble too."
Saying a Web site is secure because SSL is being used is like the old argument that a firewall is all that's needed to protect the network from the Internet. It's not quite that simple.
You can claim the benefits of protecting data in transit and preventing authentication exploits when using SSL. Put SSL in place on your Web site and you can, for the most part, say bye-bye to phishing attacks and rogue users performing ARP poisoning and sniffing traffic. These benefits do lead to greater Web security but are in no way, shape or form indicative of a secure Web site or that sensitive information is being adequately protected start to finish.
The real dangers are the Web servers and applications and database weakness after data is transmitted. Some examples are:
- Weak login mechanisms
- URL manipulation
- Command execution
- SQL injection
- Cross-site scripting
- Directory traversals
- Buffer overflows
- Developer comments
- Missing patches
The irony is that all of these weaknesses can be carried out by the bad guys using a safe and secure SSL tunnel.
If your organization is claiming security via SSL on its Web site or if you're doing business with an organization that relies solely on SSL for full Web-related security, it may be time to start probing further. Ask tough questions, such as when was the last time a penetration test or source code analysis was performed.
Remember that SSL is working as designed. The new Extended Validation Certificates add some more reassurance to Web users that the site is legit, but that's not the point. The true vulnerabilities are with data at rest -- not data in transit. It's at rest nearly 100% of the time -- where it's usually the easiest to access.
With all the weak technical controls, poorly written applications and flawed business processes behind the scenes, using SSL creates a false sense of online Web security. Don't fall for the hype. Instead, start focusing on where it counts.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio books providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.