Flaws In SSL Encryption?
Monday, August 3, 2009 7:00Secure Socket Layer (SSL) is used on the internet to encrypt connections to such sites as e-commerce and banking sites. Most everyone has used and seen these sites. They have the “https” at the beginning of the website URL along with a little padlock symbol that is usually found on the lower right hand side of your web browser. If you click on the padlock icon, it will open up and give you information regarding the encryption method and the encryption certificate. The purpose of SSL is to keep your information confidential while it is being transmitted over the internet from your browser to the website.
SSL has been know to be vulnerable to some types of what is called “Man in the Middle Attacks,” which basically occur when an attacker places himself between the user and a server or a server and a server. This allows the attacker to intercept information and to insert other information when it is being communicated across the network. What appears to be secure exchange of information is not so. Also, recently researchers have found other attack methods such as an attacker creating his own certificate authority which would allow them to issue phoney SSL certificates.
Recently, there has been some discussion about flaws in software that uses SSL encryption. The attack method described above allows the attacker to gain access to secure information traveling from a web browser to websites and back again. The new attack method involves certificates that have what is called null characters. In a lot of cases, the null character in the certificate stops the software from reading beyond the null character. For example, if you created a certificate starting with ebay.com\0 (which is the null character) followed by their own site such as businesssecurityinformation.com, there is a good chance software such as web browsers, e-mail clients, VPN’s and other similar types of software would see it as an ebay SSL certificate. The software then would think it is connected to a secure site which would in turn allow the attacker to collect sensitive information. As of this writing, the only web browser that has been found to address the null termination certificate issue is Firefox 3.5. I would suspect that in the near future other web browsers will also address this vulnerability.
Most SSL security issues are related to how SSL is implemented or how other software interacts with SSL. The SSL encryption method has not been broken or cracked as of this writing. There are some old methods of encryption that some software still uses which are insecure, such as MD2. This is basically a software issue and not an SSL issue.
Most of the vulnerabilities noted will require software changes and changes in how SSL certificates are issued. Even then, in time, security will need to be modified. Bottom line– you do not need to understand all the different types of encryption and attack methods, just know that no form of security can give you one hundred percent protection. Security is a continuous process, and you must continually keep up on security issues. This website can assist you with keeping current on security issues and also can help you make informed decisions regarding needed security changes.
Related posts: