Improper configuration is rendering SSL nearly useless as organizations are transmitting sensitive information online without any security.
Security researchers are
buzzing about the flaws in the Secure Sockets Layer system and the fact that a
significant portion of the Internet is vulnerable to attack. At the recent
Black Hat security conference in Las Vegas, there were several reports and panels
addressing various issues.
Based on the PKI (public key
infrastructure), the SSL protocol has grown "organically" to become
nearly ubiquitous within the world's largest organizations to keep Internet
communications secure, Jeff Hudson, CEO of Venafi, told eWEEK.
However, less than a fifth
of Websites claiming to have SSL deployed correctly redirect traffic, according
to a report released by Qualys at Black Hat. Of the nearly 250,000 sites with
SSL turned on that were surveyed, only 51,000 were properly redirecting to SSL
for authentication, according to the report from the Qualys community project,
SSL Labs. The remaining 80 percent of the sites may or may not redirect to SSL,
making them vulnerable to a man-in-the middle attack from Firesheep and other
Overall, there has not been
a lot of improvement worldwide in how SSL has been deployed over the past few
years, Philippe Courtot, chairman and CEO of Qualys, told eWEEK.
Organizations are just rolling out SSL servers and not
taking the time to ensure the servers are properly configured, the report
Courtot declined to specify
any of the offenders, noting that the problem was widespread.
There were a number of
configuration flaws, including the use of insecure cookies and mixing unsecure
traffic with secured traffic on the same page. Websites using SSL have to
redirect to SSL immediately, instead of encrypting only a portion of the page,
as that opens the user to session hijacking attacks, Courtot said.
When users see a padlock on
the Web browser or some other form of visual notification that the site has SSL
deployed, they expect their log-in credentials are protected, Courtot said.
However, it turns out many organizations made a conscious choice not to use SSL
in authentication despite rolling out the security protocol, researchers found.
Nearly 70 percent of the surveyed servers handled the log-in process in plain text,
and a little over half the servers were transmitting passwords as plain text,
making it easy for a malicious attacker to intercept the sensitive information,
according to the report.
This is actually a
significant problem in the mobile space, according to Julien Sobrier, a senior
security researcher at Zscaler. There is no "UI element equivalent to the
lock" on mobile browsers and no visibility into the URLs to tell if the
traffic is going over HTTP and HTTPS, Sobrier wrote Aug. 11 on the
Zscaler Research Labs
learned the hard way that just having SSL on a Website doesn't keep data
secure, as attackers exploited a weakness in the SSL connection on the
financial giant's credit card Website and the Web browser to intercept
sensitive information, Rainer Enders, CTO of NCP Engineering, told eWEEK.
While some companies, such
as Google and Twitter, have taken steps to protect users by implementing HTTPS,
all Websites where users log in should be encrypting traffic, as well as
requiring HTTPS for all requests sent with a cookie, Sobrier said.
Qualys looked at how sites
secured cookies and found that only six percent had properly configured session
cookies, the report found. Even if the Websites are 100 percent encrypted, if
the developer doesn't set a secure flag on the session cookies from within the
application, a malicious third-party can sniff the contents of that cookie.
This technique is very commonly used to force the browser to display session
values stored on the insecure cookie.
Authenticity is important in
the SSL system because it ensures that users are talking to the entity they
intended to and that no one is listening, Chester Wisniewski, senior security
advisor at Sophos, wrote on the
Naked Security blog
. The way the current system is set up, every major
government in the world and many minor ones have the ability to sign any
certificate they wish, Wisniewski said, speculating that the Department of
Homeland Security could probably get a certificate claiming to be Google.
presented an alternative system that bypasses certificate
authorities and relies on a series of trusted notaries selected by the user, as
opposed to relying on the 600 or so certificate authorities accepted by major
"CAs can be compromised
and that major damage can result from related man-in-the-middle attacks,"
Hudson said, adding that Marlinspike's presentation should be a "wake-up
call for better security and management of PKI and SSL."
NCP Engineering also
released a white paper at Black Hat discussing "endemic
vulnerabilities" in SSL, and by extension, SSL VPNs, which organizations
often use to secure remote connections to the corporate severs. Enders said
organizations should not just rely on SSL alone, but should layer it with IPSec
to cover security weaknesses present in both technologies.
Qualys researchers also
looked at how many sites were using HTTP Strict Transport Security, which
defends against cookie-forcing attacks and Extended Validation SSL certificates
in conjunction with standard SSL. The numbers were disheartening, as only 80
sites used HSTS and nine used EV SSL, Courtot said.