Is SSL Still Safe?

September 12, 2011 Chris Fairey

SSL (Secure Socket Layer), the technology that protects everything from your online banking activities, to all your purchases on Amazon or the iTunes store has come under fire recently thanks to the actions of a small group of individuals who claim to have broken into the servers that issue the certificates that websites use to prove to you that you are indeed visiting the real one and not one set up by an identity theif.

Why is This a Problem?

Given what the websites that use SSL are asking you to provide them (Internet Banking usernames and passwords, credit card details, etc.) the ability of your browser, and to a certain extent, you to verify that the website you are visiting is authentic is vitally important.

However, if someone, who has nothing to do with your bank, was able to request a certificate for the address of your bank's online banking system, and attach it to one of their servers,  then direct your requests for your banks online banking website to that server, your browser would tell you that you were in fact visiting the actual banking website.

There are supposed to be security measures in place to prevent this from happening, but it would seem that a few of the organisations that provide SSL certificates, known as Certificate Authorities, have been convinced to sign certificates and give them to individuals who have nothing to do with the organisations that own the domains they were requested for.

What Can be Done About It?

Google and the Mozilla Foundation (who develops the Firefox web browser) have already taken steps to remove the compromised Certificate Authorities from their browsers, and I believe that Microsoft is either in the process of, or has already done the same to Internet Explorer. The Mozilla Foundation has even gone so far as to issue a demand that all remaining Certificate Authorities conduct an immediate audit of their security or risk being removed from Firefox.

The main problem with this approach is that it makes all websites that own certificates signed by the affected Certificate Authorities produce a warning message whenever your browser accesses a secure area, as the browser is unable to verify the authenticity of the website. Given that web users are not normally used to seeing such warnings, I believe that this approach will have a severe impact on the affected businesses.

An Alternative

There is however an alternative solution being developed by Moxie Marlinspike (@moxie__ on Twitter), Convergence.io, that aims to move the responsibility for verifying authenticity and trust from centralised databases, into the hands of individual users, through the use of both a Firefox plugin and a collection of Notary Servers operated by individuals who wish to be involved in attesting to the authenticity of websites that people visit.

I believe that, given the breakdown of trust between browser developers and established Certificate Authorities, a system that lets users decide who they do and do not trust is the only way forward.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram