Even Before Heartbleed, Improper Use of SSL Put Users at Risk
The biggest news in the IT security world this week is the Heartbleed vulnerability that was first publicly disclosed on April 7. It's a flaw that impacts hundreds of millions of users because it's embedded within OpenSSL, an open-source cryptographic library used for Secure Sockets Layer (SSL) encryption on Websites.
Not to diminish the importance of the Heartbleed flaw (which should be patched immediately), but the truth of the matter is that most Websites don't use SSL properly to begin with, and neither do many end users.
Have you ever visited a Website and got a notification for an SSL warning? Many of us have, whether it's a corporate Website or otherwise, and the typical behavior is that users just click through.
SSL warnings can show up in browsers to alert users of any number of issues, ranging from the use of a self-signed SSL certificate to a revoked certificate. The SSL certificate is the digital document that asserts ownership and integrity. An SSL certificate can be acquired from a certificate authority (CA), or it can be self-signed. If you click through an SSL warning to get access to a Website or service, you could well be invalidating the security that SSL aims to deliver to you.
In perfect scenario, when you deploy SSL, the connection is encrypted from end to end; attackers can't spoof or spy; users get what they want; and everyone is happy, safe and secure. But the reality is that the perfect scenario is not the majority use case for SSL deployments today.
According to the latest SSL Pulse statistics for April 5 (which is before the Heartbleed flaw became public), only 25.3 percent of sites scanned for SSL were actually deploying it correctly.
There are all manner of server-side implementation issues for proper SSL deployment, including proper protocol support and cipher strength configuration, that are often overlooked by server administrators.
Also often overlooked is the use of HTTP Strict Transport Security (HSTS), which makes sure that end users only connect to a given site over SSL. Without HSTS, an attacker could potentially trick a user into visiting a non-SSL version of a site.
The other issue that is often overlooked when it comes to basic Web security that I commonly encounter is the use of secure cookies. Cookies are widely used on the Web today for authentication. If a cookie is sent unencrypted over the Internet, it doesn't matter if a site is at risk from Heartbleed or not; that cookie can be intercepted and read. Many Website developers fail to properly secure their cookies with the "secure flag," which easily enables SSL encrypted transport.
So, yes, server administrators and end users should be concerned about Heartbleed, but more importantly, we should all be concerned about ensuring that encryption and SSL are properly implemented on servers and Web applications in the first place.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.