Slashdot Mirror
SSL Still Mostly Misunderstood, Even By the Pros
An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"
What is SSL anyway?
Who proofreads these article submissions, anyway? Does anyone?
If you want to write a pretentious article about how people don't understand security of the interwebs, at least get the name right. That's right, SSL hasn't been considered "secure" for at least a decade.
How we know is more important than what we know.
"browser vendors unable to settle on a single method of showing if a site is secured by SSL or not"
They put a thin but obvious blue border around the entire browsing window. Why does Firefox not let you select among a few different methods? I know not.
SSL is no more for 10 years.
You have to copy TLS 1000 times on the blackboard :
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://tools.ietf.org/html/rfc2246
I want security in my browsing... why doesn't Slashdot offer THEIR content over a secure HTTPS connection? I don't want anyone to know that I read the "idle" section and which posts I read.
Forcing people to implement both privacy and authentication in one package is half the problem with SSL. For most sites, it's more important to know that the site you're visiting is the same site you visited last time, than knowing that foo.example.com has a signed certificate approved by someone you never heard of. If these two functionalities were separated, so the browser just checked that a "non-certified" site's encryption key hadn't changed and let you through without comment if that was the case, then most sites using old or self-signed certificates would just use the encryption layer, and browsers COULD block access to sites with invalid certificates without causing people so much inconvenience they'd want to switch to a different browser that was less picky.
(yes, I know that this would probably be implemented using self-signed certificates, but it could be presented to the user as a "low security" site with an appropriate icon and at most a comment that "you haven't visited XXXX.example.com before, it is a low security site..." the first time you see it)
The correct term is "HTTPS". HTTPS, which can use various versions of SSL or TLS, is still mostly understood. Even by the pros.
This article would be funny if it weren't so sad. What's the reason computer professionals don't understand SSL? Bad documentation. And neither the Slashdot summary or the article to which Slashdot links is willing to link to documentation.
The Wikipedia explanation of SSL helps. This explanation helps, also.
The Do It Yourself SSL Guide is useful.
Have you ever tried teaching yourself the basics behind SSL, such as PKI and X.509 certificates? In an industry full of jargon and technalese, the security people are some of the worst for explaining things. The documentation out there is poor and cryptic. Ever wonder why encrypted or signed email never took off? Look no further than GnuPG or the Enigmail plug-in for Mozilla. Try finding out what DER encoding is, or ASC.1, or what PKCS#7 means. None of it's straight-forward, even for technical people.
The OpenSSL web site lists "[STILL INCOMPLETE]" for each of its manuals.
as the guy said in the article, it should kick you from a session at expired certs, not allow click through options
if the cert is expired/ unverifiable, the browser should simply kick the session, end of story
that should really be the only option available to anyone. its psychological: take this seriously, sorry for the inconvenience. otherwise, lazy admins will let their expired/ malformed certs hang out there for a lot longer (which i've seen even on a credit card site: capital one), because users just easily circumvent the roadblock. they'll definitely notice if no users can get through, and the angry emails pile in their inbox
i only allow https admin connections to my router, which of course means my browser screams about being unable to verify any certs... since i'm on a subnet. and i bet there are many other valid situations where expired/ unverified certs still represent a valid connection
however, add up all the valid situations where you want to continue an uncertified https connection, and you are left with nothing but a hill of beans in comparison to the mch more massive problem of psychologically just not taking https seriously enough
now you just have to convince the 3/4/5 major browser flavors to implement this new status quo
maybe the certificate authority should simply kick insecure browsers regardless (is that passed to the certificate authority during verification of cert?). that would get browser coders and vendors to notice. of course, what the browser report themselves can be hacked/ finessed, but if that's done maliciously, you're box is already owned, and its already game over regardless through a lot more powerful avenues
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
You're doing it wrong.
Whoever wrote this article does not know what he's talking about.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
With the exception of pre-installed machines, we all have to download our web browsers. What would stop someone carrying out a man in the middle attack on a web browser or distribution download that provided a different Firefox that contains different CA keys. These CA keys could be designed to work the same with https websites, but would allow a man in the middle to also read off the information being transmitted.
Admittedly this would be very hard to do, but theoretically possible and with the resources of a nation state this may have already been done. As most machines are now built in the far east, what would stop the IE that ships with your computer from also having altered CA keys?
Would it even be possible to detect this? You could use MD5 checksums on your downloads, but most of the websites that show an MD5 are unsecure, so they could easily be showing a manipulated version of the checksum.
This strikes me as one of the biggest flaws of our reliance on SSL v2, v3, whatever.
Please tell me that this isn't possible.
Since when have nerdy men ever truly understood Super Sexy Ladies anyway?
Good luck. Google has 9,610,000 hits for ssl certificate and 1,350,000 hits for tls certificate.
Personally i have thought about learning SSL from the ground up the "right way" countless times. The problem is finding a course thats general about implementation but dives down into the gritty details of SSL. I dont want to know howto meddle with SSL on a specifik product, i want to understand its inner workings so i can manage any implementation through good knowledge about wtf im doing.
HTTP/1.1 400
By the way I use cacert to generate my certificates; it should be inlcuded in the default Firefox certification authorities list. I suspect there is money involved in getting into that list though.
CAcert failed a DRC audit. Bug 215243 comment 158 has the details.
A lot of non-SSL password forms are on small blogs, forums, or wikis that don't handle financial data. Might the widespread lack of SSL on password pages have something to do with the price of a certificate for each such site?
SSL is all about trust in the end.
The monster problem is arrogant security people don't trust the other arrogant security people. Trust is implemented via certificates. EG I certify that this thing is what I say it is.
Problem. Who trusts the guy who gives out the certificate. Well as it turns out. Not many trust the other guys certificate. This leads to a problem. You can't build a pyramid of trust when you can't really trust the other guy.
So basically it makes it fairly impossible to create something like a local key store. I can't trust your key store because I can't trust the people that say your key store is a good one. Lets put this in terms people can understand. The government issues a locksmith with a certificate stating that this lock smith can hold copies of your home and safe keys. You can trust him because we the government trust him. Problem is no one trusts the government and no one believes that this guy actually has a real certificate. It could have been forged after all. So I'm not going to let him hold my precious keys.
So now I can't even trust my local key store. So just in case I'm going to add another level on top. I'm going to add a pass phrase. This is something I need to repeat every time I need to do something special involving security. Like say open a door. I turn the key and utter my pass phrase.
Again we got a problem. I have doubts about the pass phrase. Someone might have recorded the pass phrase and is able to play it back after they have used a dodgy copy of my key.
So in the end the trust chain is very fragile. Just one little bit of doubt in the system and it all falls down. This is what has happened. Due to now decades of mistrust of the trust systems layers and layers of paranoia trust have been piled on. And those too have suffered mistrust. So now you have this massive mess of mis-trusted trust and as a result security has broken down. Or rather it has never built up.
---
Basically I have given up all hope that certificate authorities can give me something that is trust worthy and future proof. Simply because they don't like to talk to each other and subsequently they under mine each others public trust. My business is private in that I deal with a customer at a time.
I issue my own private certs and ask them to accept them. They pay me for a service. The contract they sign with me puts legal consequences around the violation of trust of our financial agreement. Thus I simply state this contract is the legal trust you require. If you trust the contract your trust my certificate. In most cases the contract is less expensive than buying a cert. Everyone wins and we actually have a contract of trust. I make more money and they customer pays less. Of course this model doesn't apply to strangers dealing with strangers but it works great for me.
Yeah. Prostitutes don't understand SSL either.
Slashdot has a weird definition of "pro". I figured it meant cryptography professionals. But if the title came out and said "IT professionals" or "lumber professionals" then it would be obvious that the story has no value.
TLS 1.0 is based on SSL v3. TLS 1.0 is also called SSL 3.1 sometimes.
There isn't really a huge difference between TLS & SSL 3.0.
I know how to what SSL is! Fo' real!
It's an HTTP page, but they put a *picture* of a padlock in the middle of the page, so you know it's "ok" to login. And millions of people just go ahead and login from that page.
http://www.scottrade.com/
(Yes, I know the login does go to an HTTPS server. But it's the general idea that counts).
This is not my quote, and I do not remember where I read it.
"Using SSL to transfer information from server to server is analogous to using armored cars to transfer bags of money from one park bench to another."
- I live the greatest adventure anyone could possibly desire. - Tosk the Hunted
you like the current browser implementation of SSL because it is convenient for you... as a developer
you don't happen to think that making your life a pain in the ass as a developer is gee, i dunno, slightly less important than making SSL implementation a serious psychological wall for end users? you don't consider that goal slightly more important than your CONVENIENCE with secure website development? you don't consider your browser use to be slightly more esoteric and exotic than what browsers are used for commonly? do you think maybe your convenience, as a developer for crying out loud, isn't the fucking point?
in fact, turn in your nerd credentials in on your way out, don't let the door hit you in the ass, because emphasizing convenience over security is expected in userland, but your average developer- heck your average SECURE WEBSITE developer, as you profess to be, better be fucking downright hardcore evangelical about security over convenience. as a fundamental component of his profession
i fear for whomever you develop for. when they discover whatever you lazily left unsecured... because i seriously question your priorities and your state of mind and its appropriateness for your presumed profession
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
you're pretty funny ;-)
and yes, i consider the imposition on small businesses to be far less important than a firm psychological wall for regular end users when it comes to security and the browser session
and no, i don't work for a certificate authority
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"'People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know how to what SSL is and what it does"
Actually, everyone expects that grandpa nad grandma will understand SSL..if they want to do any secure transactions online.
Not matter how the browsers display certificates, unless people know what they are and why they are there then they won't be secure.
What percentage of people would call their bank to complain if they internet banking website didn't give an SSL certificate?
Browsers make a big deal about fake certificates, or self-signed certificates, but don't say anything when you go do an unencrypted site.
It's a terrible state of affairs, and until either secure transactions get eaiser or certificates are used widely enough that browsers can warn when a site isn't using one transactions of the average joe won't be secure at all.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
I did a sort of "audit" of IT people around me and their knowledge of TLS certificates and how to implement it--and most have no clue. It's really quite a shame. I've been working on doing all sorts of SSL stuff and many different implementations. The things I've tested and used:
-OpenVPN using pre-shared keys
-OpenVPN with a CA infrastructure where OpenVPN verifies that a certificate was digitally signed by a CA. Interestingly enough, I haven't found anywhere to configure OpenVPN to only accept certain keys signed by the CA (it only verifies the CA signature)
-SSH with key-authentication, password-protected keys
-WinSCP with the same
-Apache w/ SNI and virtual hosts with self-signed certificates
-Apache w/ SSL and self-signed certificates, 1 host per IP
-Apache w/ CACert signed certificate, providing a link on the HTTP version of the site to grab the CACert Root certificates.
-Apache w/ SSL key authentication and PKCS #12 files on each client machine w/ Chrome, IE, and Firefox
Most of the information and documentation is spotty on setting all of this up. For example, OpenSSL's documentation on building certificate authorities is terrible, as they expect you to dump the CA certs/keys in the "demo" directory. For some of my earlier implementations I used OpenVPN's built-in scripts to create a CA, then public/private key pairs.
When you attempt to do client side authentication with SSL, Firefox gives you a cryptic error message if you forget to include the entire chain of trust within the pkcs #12 file. This is even if you put the CA Root cert into its Certificate store....you still need the entire chain of trust in the pkcs file. FF's exact error was "Failed for unknown reasons." When trying to find out why it failed, I actually got the answer in a completely unrelated IRC channel of nerds.
The Windows crypto store is still vulnerable to the null character bug, so this still puts IE and Chrome in the shitter with that. Shouldn't be a problem moving forward, however.
In fact, I would say I learned the most about SSL by Moxie Marlinspike's slides than I learned anywhere else, combined with knowledge accumulated over the years.
First of all, a better long-term solution is DNSSEC. Because DNSSEC records are signed, there's a chain of trust going all the way back to the DNS root servers. Because you can trust DNS with DNSSEC, you can just store a certificate alongside your A records, and the browser can validate using that instead of some third-party CA certificate list.
It's a much cleaner system than the current CA one because the incentive are in the right place: as the manager of your DNS, you have every incentive to make your identity hard to forge.
"Nearly 50 of the survey's nontechnical respondents just clicked through security warnings without paying attention to them, he says."
Not sure if this is 50 persons or 50%, but I suspected that in part this is true, which coupled with DNS hijacking by ISPs makes a problem a bank I use had (hopefully), and perhaps other commerce and financial sites, a real problem.
A few months ago I alerted my online banking instituion to an NXDOMAIN problem they had where occasionally logged in customer requests were being sent to a non existent server and my ISP subsequently hijacked those requests and delivered their own stupid page. Obviously this is incredibly lame as anyone who chooses to ignore the SSL warning will then send all of their auth tokens to the ISP.
I never received a reply from my bank and even tried to get Schneier involved as this bank is a major player. Regardless of the lack of response however, about two weeks after I notified the bank, I have not run into this problem, so hopefully they fixed it.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
I mean how relevant is it to their survival and reproduction abilities? (Biological as well as ideological.)
Not much. Yeah well, you could get into problems. But it's so rare that you usually don't know anybody in person, who it happened to.
If someone could DIE from misunderstanding SSL, or even get hurt a good bit, you could be 100% sure, that anyone who deserves to reproduce and survive, would perfectly understand every tiny detail. :)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
One problem is that CA's expect "instant gratification" when they issue a new root certificate. Properly, root certificates ought to change very rarely. They should be published a few years before they're used, so there's time for people to install new browser updates and be confident that a fake root cert didn't get through. Now, though, Microsoft Windows Update is being used as the source of root CA authority. We're seeing far more root certificates, more than are really necessary.
The U.S. Department of Defense is going to all-HTTPS for most military sites, even the public-facing ones. But they have far too many root certificates, and few browsers have them all.
The name is a bit crazy but its easy enough to use. http://www.bouncycastle.org/java.html
RTFM is not a radio station.
just publish your CA cert at http://my-toy-site.example.net/cacert.crt and link from your home page; you'll be prompted to install it in your browsers trusted key-ring.
A user agent that makes it hard to use a web site with a self-signed TLS certificate will also make it hard to install a self-signed CA certificate, especially one not downloaded from an already trusted HTTPS site, for the same reasons.
I agree with you that publishing a domain's certificate through DNSSEC is a better solution. But the fact that so many domain name registrars are also CAs for traditional TLS certificates would appear to act as an incentive against implementing DNSSEC.
Yeah, I noticed that. Insufficient editing. I was in too much of a rush.
There will be a followup article describing what SSL is once the author of the article understands it.
Stay tuned!
If you can't wait, feel free to purchase an advanced copy through his secured website...
Once you've signed up for your account to access "Bob's cool fishing tackle forum", what you really care about is that it's the SAME site you go back to and enter your password next time, not that someone once paid VeriSign.
Mac OS X uses the same concept of persistence of identity when deciding whether to apply firewall settings to an updated version of an application: if they were signed with the same publisher certificate, even a self-signed one, they're the same app. True, it helps detect if a man in the middle has been added since the user signed up. But it doesn't help if A. one uses two different computers and they don't have some way to share their keychains, or B. a connection has been MITM'd from day one. In fact, B has actually happened.
I read the article and it's a pile-o-crap but the title is correct...
99% of developers simply don't get what public key crypto is, nor how it works. They don't understand what the 'key exchange' phase of SSL is nor why it is needed (theorically, it's not needed, but practically, good luck without that phase).
How do you want developers to understand what SSL is when they don't understand how public key crypto works? (granted, in some case TLS works with pre-shared keys, but that's a tiny minority).
Of course they've got no clue about SSH neither. They just now that "SSH is more secure than telnet" but they have no clue as to why.
Wanna have fun? Ask during a job interview: "Why is a symmetric key exchanged when two parties need to communicate securely over an insecure network?"
To me programmers that don't understand how public/private crypto works SHOULD write a simple application that simulates how, say, a very basic RSA system works. It's not hard, it's lots of fun (who doesn't like messing with prime numbers ;)
I've done it last century, just for the fun it.
That's the real problem today: most developers use technologies they don't understand (like TLS/SSH) and tools the don't understand either (do you think developers have the slightest clue as to how a kernel or a device driver work? Of course not.
It all looks like "magic" to them. That's a very concerning issue.
We're talking about Secure Socket Layer, not Solid State Logic.
No, I think we're talking about the Low Byte of the Stack Segment Register, SS.
SSH is obviously the High Byte of the Stack Segment Register.
I mean... duh! Like, who doesn't know that?
My other car is a 1984 Nark Avenger.
Yes, I am sure that there are plenty of happy hackers knowing that their SQL injection or cross site scripting code is encrypted before being successfully injected.
The sad truth is this is a very correct statement of today's website admins.
Many do not know what they are doing, and should not be heading any sort of B2E site...I logged unto a website to order something, and got all the way to the end to find out there was no ssl lock once they were asking me for my cc info.
I stopped there, and sent them an email stating that this was below par standard, and that they should involve a better company then the one who designed their site. They replied they had a verisign logo so all was ok....ummmm....ok.....I guess I won't be shopping there anytime soon!
S.S.L. Its only part of the security solution, not the end all and be all. One thing I find exceptionally annoying is web browsers confusing the heck out of users with security with over alarming security warnings when they encounter a site that has self signed certificates just because a site does not have a Signed Certificate does not mean its a security risk, then you have to go though a series of many clicks to get the self signed certificate accepted.
Having a self signed certificate is no more or less sure than a signed one. A signed certificate only verify s that that cert was issued to that server. Users need to be aware of the risks. If your accessing your companies web mail server and it has a self signed certificate its likely nothing you should be concerned with as its there to protect the transport of your password and data.
If you accessing your Bank online and it has a self signed certificate or its expired don't log in as it points to a problem. I have seen fishing emails that take you to a bogus look alike bank web site, that has a signed certificate.
I agree that commerce sites should have a signed certificate that is valid for the comfort level to the end users, the idea that is sometimes portrayed to the end user is that this site is Legit because it has a signed certificate which as we know is bogus, it does not prove the site is legitimate at all.
People as always need to be careful out here.