SSL and the Internet: Where is it all going wrong?
Making sure that a web site is installed, configured and working correctly can be a daunting job for even the most experienced IT security professional. One of the most important security protocols for each and every business operating on the Internet is the Secure Sockets Layer (SSL).
SSL is known as “the security backbone of the internet,” as it is a security protocol that protects web sites by enabling encryption of sensitive information during online transactions. While it is a valuable protocol, implementations can have issues, including problems with configurations and certificate validations, which render SSL invalid, jeopardizing security.
Research completed throughout the past year studying about 120 million registered domain names reveals the many failings when it comes to SSL security and calls into question how this vital protocol has been overlooked in recent years, By looking at the state of its current use, we can learn about common mistakes, and make recommendations on what security practitioners should do in the future to best utilize this protocol.
Falling at the first hurdle
Whilst SSL is widely regarded and acknowledged as being one of the most fundamental security protocols, our research revealed that only a tiny portion of all sites actually use SSL, and of these only 70 percent of certificates were valid. When you bear in mind how many domain names are out there on the Internet, this provides alarming insight into the basic security principles that people are simply ignoring or not taking in to account. For businesses that operate online, this could cause a major breach of security as research has shown that even if a security warning appears on the screen, more often than not, an end user is likely to ignore it.
When accessing an insecure network, the user runs the risk of being exposed to potentially harmful security breaches calling into question the sites’ validity – which could negatively impact the company’s reputation. Our research showed that the majority of the certificates failing validation only did so because they had expired. This is an easily rectified problem, but is one that still manages to slip under the radar of those monitoring the network security.
Self harming – Using what you know to be bad
If you are going to use SSL, it makes sense to implement the most secure version available to ensure maximum safety when online. However, half of all trusted servers analyzed are instead supporting the SSLv2 protocol, which has been known for the past 14 years to be highly insecure. This flawed protocol offers little in the way of protecting the network, and it can actually invalidate a company’s PCI compliance. Whilst many modern web browsers now won’t use SSLv2, instead choosing to use the stronger, more robust and recommended, SSLv3 or TLSv1 (Transport Layer Security) protocols, its continued wide usage demonstrates further how neglected SSL security has become to the IT security/network manager.
Configure it out
Making sure that you are using SSL, or even using the correct versions, does not necessarily ensure that you are well protected and fully utilizing the protocol. Most sites fail at the configuration stage. The research showed that only 38 percent of SSL sites analyzed are configured correctly, which means that the rest—almost two thirds—are potentially insecure. The configuration of SSL is very straight-forward and could take less than an hour to do properly. The pulls into question again how seriously managers take into consideration SSL security and if the proper level of training is being implemented within an organization.
On the bright side
It’s not all bad news though. There are web sites with fully deployed and functional SSL protocols in place, using keys of sufficient sizes and ciphers that are strong. This is encouraging news, as it shows that when the protocol is given the right level of attention and is correctly configured, it can provide the high level of security as it was designed to provide.
Learning points
Whilst all sites should have SSL in place, the research has shown that many have not undertaken the correct steps to ensure maximum security of this very basic protocol. We feel that a better understanding and industry awareness is needed to raise the number of correctly used SSL certificates in place. If a company does have poor SSL, this can indicate a company’s weak security stance and could call into question whether they are also poor in other areas of their security procedures. This could also act as an indicator of weakness to hackers and subsequently lead to exposing the web site for other security breaches. SSL is one area where people can really make a difference and do things properly. We as an industry need to take things right back to basics and start fixing this element. It is only then that we can truly move forward and secure the rest of the network.