SSL Still Mostly Misunderstood, Even By the Pros

An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"

Moderators, are you all friggin' retards?

[Eggplant62]

Who proofreads these article submissions, anyway? Does anyone?

Re:Moderators, are you all friggin' retards?

[Stachybotris]

no one expects that grandma and grandpa know how to what SSL is and what it does.

I just consider this sort of typo a cheap and lazy form of story encryption...

Re:Moderators, are you all friggin' retards?

[OakDragon]

What can't they most the least?

Re:Moderators, are you all friggin' retards?

[rockbottoms]

I just consider this sort of typo a cheap and lazy form of story encryption...

I just except the typos for what they are

Re:Moderators, are you all friggin' retards?

[TheRaven64]

Hmm, you're probably still just new enough to be making that mistake. Slashdot readers go through various development stages, like insects:

1. New users read the articles.
2. Then they stop reading the articles, and just read the summary.
3. After a while, they stop reading even the summary, and just read the headlines.
4. Finally, they stop even reading the comments that they are replying to, and just paste links to goatse or stories about CmdrTaco'ssex life.

You're doing it wrong

[QuantumG]

If you want to write a pretentious article about how people don't understand security of the interwebs, at least get the name right. That's right, SSL hasn't been considered "secure" for at least a decade.

Re:You're doing it wrong

[frozentier]

If you want to write a pretentious article, AT LEAST use correct spelling and grammar if nothing else.

Re:You're doing it wrong

The article isn't even just pretentious, it's just pointless fluff. The entire thing could have been summarized as "many customers ignore security warnings in browsers and many web developers deploy SSL/TSL in vaguely unacceptable ways which we won't even begin to explain here".

Really, that article couldn't have been more pointless. WHAT are people doing that they shouldn't be? WHAT are people expecting SSL to do that it doesn't? If you're going to write an article about people's misconceptions of a technology, you could at least spend a single sentence explaining what some of those misconceptions are.

Pointless and uninformative article is pointless and uninformative.

Re:You're doing it wrong

[something_wicked_thi]

If you want to write a pretentious response to a pretentious article, try reading the source you're linking to. SSL v2 hasn't been secure for a while, but SSL v3 is fine.

Re:You're doing it wrong

[Antique+Geekmeister]

No, I'm afraid it's not. It's still vulnerable to "Do you accept this made-up key" attacks where people have become far too accustomed to accepting unsigned keys, and to the purchase of centrally signed keys. Because the key signatures belong to a central signing authorities that rely on valid credit cards, not personal authentication, there is still only a pretense at genuine security.

There have been other tools proposed to address these issues, such as the PGP web-of-trust, and the Palladium project's hardware encryption, but they've broken down in practice on the problem of US encryption export regulations, poor closed source implementation that turns out to be easily virtualized, and many essentially social rather than technological issues. Even SSL was handicapped for years by the USA's insane 80-bit limit for SSL in exported software.

Re:You're doing it wrong

[muckracer]

> Even SSL was handicapped for years by the USA's insane 80-bit limit for SSL
> in exported software.

It was 40-bits. Agree with your point...just sayin'.

Re:You're doing it wrong

[rgviza]

>No, I'm afraid it's not. It's still vulnerable to "Do you accept this made-up key" attacks where people have become far too accustomed to accepting unsigned keys, and to the purchase of centrally signed keys

Um, that's a social engineering attack, not a fault of the protocol itself. The protocol is secure, users aren't. To be fair, the browser manufacturers could do a better job of writing the warnings so that anyone could understand them. Again, this is not a fault of the protocol, rather how people use it.

And adding a layer of PGP to it, would have the _exact_ same issue. Instead of "Do you accept this SSL key" It would be "Do you accept this PGP key". In addition, adding PGP would introduce a whole new slew of security bugs related to added complexity of PGP support in browsers, along with all the bugs guaranteed to be introduced with the additional new code.

No thanks =D.

Re:You're doing it wrong

[Magic5Ball]

I think the idea of a public revocation database has merit. How would I make sure that my connection to the database has not been tainted? How could this database as a business entity be designed in a way that's less vulnerable to social engineering attacks than the current system?

Re:You're doing it wrong

[KnownIssues]

It seems you've all proved the article's point. SSL still mostly misunderstood.

Re:You're doing it wrong

[yuna49]

> "Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords."

I found this one of the silliest parts of the story. First, to what type of sites does that 41% figure apply? Are they the same sites where people are entering credit card information? There are a number of sites where I enter passwords without SSL encryption, this site for one. Those are sites where I don't really care if my password is sniffed or not. Does that place me in the 59% of supposedly inattentive users? For sites where I care about protecting my authentication information like my bank or Amazon, I make sure the password transaction is encrypted.

Next, the article presents a laundry list of apparent security flaws in SSL. How common are these? Do we have demonstrated evidence that they've been used to subvert transactions with well-known sites like major banks and online retailers, or are these just theoretical flaws? Like the article on piracy in today's news, the statistics in this piece seem intended to drive sales of security software and services by fear-mongering.

Finally there's the suggestion that browsers never permit people to accept certificates that have expired or are self-signed. I'm sorry, but that's just not going to fly. I find the current plethora of hoops I have to jump through with Firefox annoying enough. If I want to sign a cert so my employees can read their mail with a web browser, what's wrong with that?

Re:You're doing it wrong

[sexconker]

Uh, simply add that self-signed cert once.
Someone in IT will do it.

If people want to access email from home, tell them to remote into their machine at work.

Setting up your own CA doesn't fix the problems you mentioned (random access point fud).

Re:You're doing it wrong

[vadim_t]

Uh, simply add that self-signed cert once.
Someone in IT will do it.

Then another time for the website, and another one for the IM server, another time for the VPN, and a couple times more when servers get replaced...

Setting up a CA is a long term solution that only needs to be done once. You can then generate a new cert that will be recognized as valid by somebody in another country.

Setting up your own CA doesn't fix the problems you mentioned (random access point fud).

Yes it does.

If you're lucky:
You go to https://example.com./ It uses a self-signed cert. You accept it, connect to the right server. All is good.

If you're not:
You go to https://example.com./ It uses a self-signed cert. The man in the middle examines your cert, makes another self-signed one with the same details, and presents that to you. You accept it. Connect to the man in the middle who then connect to your server. You read your mail, administrate your servers and so on, while somebody is quietly logging all that data.

With a CA, your cert would be signed by the company's cert. Your company can sign certs with its key, but some random guy running an AP for nefarious purposes can't. The best he can do is to make a self-signed cert with your company's details, but you're not stupid enough to ignore that, are you?

Re:You're doing it wrong

[sexconker]

With a CA you set up, someone has to trust it explicitly by adding it as an exception, just as you have to do with individual certificates in your fud example.

ALL certificates are like this - modern OSs simply include and maintain a list of certificate authorities to trust.

SSL is dead for 10 years

SSL is no more for 10 years.

You have to copy TLS 1000 times on the blackboard :
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://tools.ietf.org/html/rfc2246

SSL is trying to do too much.

[argent]

Forcing people to implement both privacy and authentication in one package is half the problem with SSL. For most sites, it's more important to know that the site you're visiting is the same site you visited last time, than knowing that foo.example.com has a signed certificate approved by someone you never heard of. If these two functionalities were separated, so the browser just checked that a "non-certified" site's encryption key hadn't changed and let you through without comment if that was the case, then most sites using old or self-signed certificates would just use the encryption layer, and browsers COULD block access to sites with invalid certificates without causing people so much inconvenience they'd want to switch to a different browser that was less picky.

(yes, I know that this would probably be implemented using self-signed certificates, but it could be presented to the user as a "low security" site with an appropriate icon and at most a comment that "you haven't visited XXXX.example.com before, it is a low security site..." the first time you see it)

Re:SSL is trying to do too much.

[Drencrom]

Totally agree with this. If I dont want to spend money paying a certification authority I should be able to encrypt anyway without the browser warning the user in big red letters that I am a pirate. Firefox warnings are geting worse in each version and, for the user perspective, it seems that encrypting with a non official certificate is much worse than not encrypting at all. By the way I use cacert to generate my certificates; it should be inlcuded in the default Firefox certification authorities list. I suspect there is money involved in getting into that list though.

Re:SSL is trying to do too much.

[argent]

So you are saying you shouldn't change the public/private key for for 20 something years?

If all you're securing is a session to a web forum where there are no assets at risk, sure.

It's more security than not using TLS at all.

Re:SSL is trying to do too much.

[argent]

Where have I suggested that Paypal should use self-signed certs?

The point is that there's thousands of sites... no, hundreds of thousands... that are wide open for sniffing that would be using TLS if it was possible to set it up as easily as you can set up SSH. This possibly didn't used to be an issue but is getting more so as more and more businesses provide things like free wifi.

For these sites the same level of authentication as SSH, "this is the same server as you visited last time", is adequate to deter MITM attacks.

Re:SSL is trying to do too much.

[DavidTC]

Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent.

You know, you hit that analogy perfectly, but apparently did not bother think about it.

A steel door on a tent is much better than no door on a tent.

Let me guess: You think locking a car or house is a waste of time, because any fool can break in via windows? You think it would be better if we couldn't lock our car or house, because locking it gives us a false sense of security?

Perhaps, you should maybe consider that those of us who want a little more security know exactly what we're asking for and what the weakness of it is, but think sometimes a small level of security is a better choice than none?

That maybe we think protecting web forum password from sniffers, and from man-in-the-middle attacks because it saved the cert when you went there the first time, might be a vaguely logical thing to do, and yet those thousands of forums are not going to purchase SSL certs?

Oh, and while we're at it, companies would no longer have to fuck around with self-signed certs for intranet sites.

Re:SSL is trying to do too much.

[DavidTC]

All browsers would have each registrar's root CA certificates in their CA store. When a person registers a domain name, the registrar also gives them either an issuer certificate for that domain or a wild card certificate for that domain. The person could then either use the issuer certifcate to make more (www.example.com, store.example.com, etc.) or just use that wild card certificate (*.example.com).

Congratulations, you have just invented DNSSEC.

Next task: Get root registrars to actually publish and issue root certificates to the registrars.

After that, get browsers to support them.

Re:SSL is trying to do too much.

[argent]

Everyone knows the world will end in 2012.

Oh come on, nobody's using that old stone circle computer technology any more. Half of the Machu Picchu site is missing, they've lost the Nazca Plain key server, Avesbury is completely trashed (half the stones there are uncalibrated replacements), and Stonehenge was originally just a backup ring in case the Avon flooded: I bet you couldn't get a millithaum per second out of it even on the equinox AND with a FULL team of chanters on hand.

Re:and WHY doesn't Slashdot use HTTPS?

[buchner.johannes]

caching.

You didn't get it right either... try "HTTPS"

[WD]

The correct term is "HTTPS". HTTPS, which can use various versions of SSL or TLS, is still mostly understood. Even by the pros.

Re:and WHY doesn't Slashdot use HTTPS?

[pjt33]

How would HTTPS help? You'll still probably do an unencrypted DNS lookup for idle.slashdot.org.

As usual, no one wants to be the leader.

[Futurepower(R)]

This article would be funny if it weren't so sad. What's the reason computer professionals don't understand SSL? Bad documentation. And neither the Slashdot summary or the article to which Slashdot links is willing to link to documentation.

The Wikipedia explanation of SSL helps. This explanation helps, also.

The Do It Yourself SSL Guide is useful.

Re:As usual, no one wants to be the leader.

[upuv]

I blame JAVA.

Java dev to any other IT dude: "I don't need to know about that the jvm abstracts that away for me. So buzz off and let me do real IT work. "

Just kidding :) Well actually I'm not. In general Java devs know ZIP about anything out side of a JAR file.

Re:As usual, no one wants to be the leader.

[Chrisq]

In general Java devs know ZIP about anything out side of a JAR file.

They may not even know that JAR files are ZIP format.

Re:As usual, no one wants to be the leader.

[onemorechip]

And neither the Slashdot summary or the article to which Slashdot links is willing to link to documentation.

Please stop anthropomorphizing the article and summary. They hate that!

Of course IT proffessionals don't get it

[Malc]

Have you ever tried teaching yourself the basics behind SSL, such as PKI and X.509 certificates? In an industry full of jargon and technalese, the security people are some of the worst for explaining things. The documentation out there is poor and cryptic. Ever wonder why encrypted or signed email never took off? Look no further than GnuPG or the Enigmail plug-in for Mozilla. Try finding out what DER encoding is, or ASC.1, or what PKCS#7 means. None of it's straight-forward, even for technical people.

Re:Of course IT proffessionals don't get it

[Necroman]

I'd like to second that motion. The same thing goes for encryption used for wireless routers. When a non-tech friend is setting up a new wireless router and is setting up the encryption part, they just see a list of 3 and 4 letter words they don't understand. And the only reason I know which is the best to pick is reading around the web to know which are easy to crack.

Re:Of course IT proffessionals don't get it

[Z8]

You may be right about SSL, but I think you're incorrect about encrypted Email. PGP was a very easy-to-use program for its time, complete with plenty of documentation that (as a previous poster mentioned) posed the problems and solutions in clear, Alice-and-Bob terms.

Furthermore, the PGP/MIME standard was very clear, and had a clear RFC. I implemented this RFC myself for two different email systems over 10 years ago. Nevertheless, PGP/MIME didn't catch on, and I myself rarely use it now.

Why? Part of it was FUD with S/MIME, but mostly it's just critical mass I think—anything that takes more than a few minutes total won't be done by most people unless it averts an immanent catastrophe (and sometimes not even then).

Re:Of course IT proffessionals don't get it

[DavidTC]

No kidding. How hard would it be for the router to actually vaguely explain what OSes can be expected to understand each type of encryption, and which you should use unless you have Specific Older Device or have discovered that some device you have doesn't work. What, do they have 32k of firmware room and no space for explanations?

Of course, most router control panels appear designed by idiots anyway.

Re:and WHY doesn't Slashdot use HTTPS?

Not to mention the fact that the GETs will have to have their endpoint identifiers unencrypted, and so the IP addresses will be available, which means they'll know how MANY requests you've made to /.

OpenSSL: [STILL INCOMPLETE]

[Futurepower(R)]

The OpenSSL web site lists "[STILL INCOMPLETE]" for each of its manuals.

Re:OpenSSL: [STILL INCOMPLETE]

[MrMr]

Why do you want a manual?
Just modify the source until it does what you expected.

it's the browser implementation

[circletimessquare]

as the guy said in the article, it should kick you from a session at expired certs, not allow click through options

if the cert is expired/ unverifiable, the browser should simply kick the session, end of story

that should really be the only option available to anyone. its psychological: take this seriously, sorry for the inconvenience. otherwise, lazy admins will let their expired/ malformed certs hang out there for a lot longer (which i've seen even on a credit card site: capital one), because users just easily circumvent the roadblock. they'll definitely notice if no users can get through, and the angry emails pile in their inbox

i only allow https admin connections to my router, which of course means my browser screams about being unable to verify any certs... since i'm on a subnet. and i bet there are many other valid situations where expired/ unverified certs still represent a valid connection

however, add up all the valid situations where you want to continue an uncertified https connection, and you are left with nothing but a hill of beans in comparison to the mch more massive problem of psychologically just not taking https seriously enough

now you just have to convince the 3/4/5 major browser flavors to implement this new status quo

maybe the certificate authority should simply kick insecure browsers regardless (is that passed to the certificate authority during verification of cert?). that would get browser coders and vendors to notice. of course, what the browser report themselves can be hacked/ finessed, but if that's done maliciously, you're box is already owned, and its already game over regardless through a lot more powerful avenues

MITM attack on browser downloads

[aembleton]

With the exception of pre-installed machines, we all have to download our web browsers. What would stop someone carrying out a man in the middle attack on a web browser or distribution download that provided a different Firefox that contains different CA keys. These CA keys could be designed to work the same with https websites, but would allow a man in the middle to also read off the information being transmitted.

Admittedly this would be very hard to do, but theoretically possible and with the resources of a nation state this may have already been done. As most machines are now built in the far east, what would stop the IE that ships with your computer from also having altered CA keys?

Would it even be possible to detect this? You could use MD5 checksums on your downloads, but most of the websites that show an MD5 are unsecure, so they could easily be showing a manipulated version of the checksum.

This strikes me as one of the biggest flaws of our reliance on SSL v2, v3, whatever.

Please tell me that this isn't possible.

Re:MITM attack on browser downloads

[Nerdfest]

That would be an excellent feature. Perhaps also an option to show it in the list of downloaded files automatically would be good.

SSL has 7 times as many hits as TLS

[tepples]

Good luck. Google has 9,610,000 hits for ssl certificate and 1,350,000 hits for tls certificate.

Bug 215243

[tepples]

By the way I use cacert to generate my certificates; it should be inlcuded in the default Firefox certification authorities list. I suspect there is money involved in getting into that list though.

CAcert failed a DRC audit. Bug 215243 comment 158 has the details.

We do expect average people to understand SSL

[Jessta]

"'People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know how to what SSL is and what it does"

Actually, everyone expects that grandpa nad grandma will understand SSL..if they want to do any secure transactions online.
Not matter how the browsers display certificates, unless people know what they are and why they are there then they won't be secure.
What percentage of people would call their bank to complain if they internet banking website didn't give an SSL certificate?
Browsers make a big deal about fake certificates, or self-signed certificates, but don't say anything when you go do an unencrypted site.
It's a terrible state of affairs, and until either secure transactions get eaiser or certificates are used widely enough that browsers can warn when a site isn't using one transactions of the average joe won't be secure at all.

- Jesse McNelis

Re:I'm a Pro

[Pieroxy]

We will all mourn your sense of humour. What a pity...

Oh well, you can adopt another one. It will never be the same, but it'll be there when you need it!

Re:and WHY doesn't Slashdot use HTTPS?

[pjt33]

You haven't yet been modded overrated for not understanding DNS, but maybe someone with mod points will stop by...

Before you exchange certificates you need the IP address of the other end. If Anonymous Coward doesn't want anyone to know that he reads the "idle" section then he needs to get the IP address of idle.slashdot.org without doing an unencrypted DNS lookup for it. How common is encrypted DNS?

PS You forgot to mention
c) get a MITM-attacked connection which your browser thinks is fine because it appears to be signed with MD5 by Thawte.

Re:and WHY doesn't Slashdot use HTTPS?

[pjt33]

I know MD5 collisions wasn't my point - that's why I made that a PS - but you still haven't got what my point is. Ignoring insecurities in the PKI and TLS implementations, TLS can prevent eavesdroppers from knowing what data you're sending and receiving, but it can't prevent them from knowing with what server you're communicating. The eavesdropper can still sniff the IP address in the IP packets, and the DNS request which is necessary before you even send your SYN packet, which itself precedes certificate exchange. TLS is cryptography, not steganography.