Secure Socket Layer in the Hacker’s Crosshairs
Every web security solution that e-commerce businesses utilize will be tested by hackers. SSL Certificates are the foundation of web security these days. But as we know, since the invention of locks, burglars have adapted to pick them; and since the invention of alarm systems, burglars have adapted to silence them. There is no security system that these malicious parties will not try to overcome. So how secure is SSL?
SSL security depends upon certificate management and selection. Not all Certificate Authorities are equal and the authorities that continually research and analyze the successful attacks against SSL will be the certificate authorities that e-commerce businesses should be drawn toward. Hackers will take advantage of any weak point from server side to end user, and even when SSL provides security, they may find a way in. SSL vendors which provide solutions through the server side by applying SSL and providing patches and constant time computation can aid in security. Security depends upon addressing the areas of vulnerability.
Areas of Vulnerability
- Certificate Authorities – There are over 600 certificate authorities that browsers will trust and all that a hacker needs to do is find one that they are capable of breaking into and the system can be compromised.
- Routers near Certificate Authorities – Compromising a router near a C.A. can allow an attacker to read outgoing email, alter incoming Domain Name System packets, and break domain validation.
- Compromise DNS Server– If that server is used by a certificate authority. Or, forge an entry for a victim domain.
- Network Protocol – Attacks against network protocol can grant access to emails to the victim domain by TCP or BGP.
- Malicious Certificate – Parties could order a C.A. to issue a certificate for any domain. (In light of recent events, perhaps a government could order one to serve a particular purpose).
The USENIX Security Symposium revealed Certificate Revocation Lists and the reasons those certificates were revoked. One of the reasons for certificate revocation is “Certificate Authority Compromised.” For 248 cases in 2011, Certificate Authorities chose to list this as the reason for the revocation of the certificate. These statements have been made by 14 separate Certificate Authorities.
An incident such as this means that any HTTPS website’s security could have been broken. SSL and certificate authorities were bound to be tested, but it is the C.A.s that is working to fix these vulnerabilities which should be sought after.
Successful/Potential Hacking Campaigns
BEAST- (Browser Exploit Against SSL/TLS) has found vulnerabilities in TLS versions 1.0 or earlier. Versions of 1.1 or more are unsupported on many browsers. Therefore, vulnerable versions may allow eavesdropping by hackers on PayPal, Gmail, or other websites. BEAST uses a piece of JavaScript and a network sniffer to decrypt cookies and grant access to user accounts.
Lucky13- (Possible Attack Agent): HTTP Strict Transport Security (HSTS) is a standard used to help browsers connect to a website over HTTPS. Without it, a user can access HTTPS pages and login without the security it provides. A tool called the SSLstrip can deceive web browsers and users into thinking they are on sites secured by SSL or HTTPS when they are not. One of the vulnerabilities exploited by this is a weak cipher-block chaining.
The Future of SSL Certificates
SSL Certificates will continue to be the foundation of web security, but these new and evolving risks must be considered in order to diligently continue down a forward path.
Proactive studies and innovations must be made by the Certificate Authorities that are depended upon to secure the e-commerce world that society has been increasingly engaged in. It is no surprise that SSL would be under the close scrutiny of hackers seeking to gain an advantage any way they can, but as we see, SSL has become a web security solution strong enough to force hackers to consider other points of entry to exploit.
Certificate Authorities which meet the increasing standards and demands of their customers, in light of these threats, will maintain the integrity of the SSL certificate as a solution. Those that question the security of SSL technology need to look no farther than the certificate authorities that first offered them this product.
Related Post: