Posts Tagged ‘SSL’

How secure is SSL

Friday 2 January 2009

https-logoSecure Socket Layer (SSL) is a security technology allowing web clients and web sites to provide a higher level of security for the communication. The question “How secure is SSL?” is relevant this week;  a group of researchers first proved they can forge SSL certificates based on the MD5 hash algorithm. Academically this is very interesting (it is!) but what are the implications in our daily interactions with websites?

Before we explore this question, for the novice some background on SSL certificates. When you visit a SSL enabled site you can see this through the https: protocol identifier in the address bar of your browser. Https enabled traffic gives two things extra, the exchange of traffic is encrypted and cannot be interpreted by some eavesdropping and the identity of the entity operating the web  server is verified. The web browser verifies the identity by a certificate the web server must send to the web browser as part of the https protocol. The certificate consists of an identity, let say ACME corporation, and signature. The signature is created by a certificate authority (Versign is the most well known) that has issued the certificate to ACME after verifying that ACME exists and the entity requesting and receiving the certificate is indeed ACME corporation. The research quoted above shows it is now possibly to generate a certificate that is valid and accepted by the browser without warning without involvement of an official and recognized authority. So any website can successfully claim to a web browser to be ACME corporation, including malicious websites. Technically there are more hurdles to exploit this attack, you need to route traffic to ACME corporation for example, but this is one hurdle less for the visitor. 

The attack is specific for the MD5 hash function, which is already known to be unsafe to say at best. Verisign immediately stopped issuing certificates with the MD5 hash. For reasons I do not understand Verisign still used MD5 based certificates only for the lower class certificates. Most certificates you and I will encounter already rely on SHA-1, a successor to MD5. Extended validation certificates cannot include the MD5 hash.

I argued before that current browsers do a pretty decent job of alarming users about the validity of the certificate presented. An attack using a forged certificate would disable those alarms. However I think most users ignore alarms for invalid certificates anyway. Enough users at least to make a spoofed site with a false certificate just as likely to generate transactions as one with a for the browser valid but sp0ofed certificate. So tools like this blacklist are pretty useless. Which means you and I must rely on other security countermeasures which include:

  • DNS and IP network security, making sure bits intended for site A arrive at site A and not site B.
  • Spam and phishing filters that prevent access via mailed links, the chances of arriving at a spoofed site by manually typing a link
  • Detecting and shutting down spoofed sites
  • Legislation making the risks greater than the benefits.

To name a few. The safest way to be secure against spoofing attacks is not to use the Internet. If that is not an option use your senses, act accordingly, have faith in other measures and assume bad luck on your part if you get involved with a malicious website. 

To round up, does this discovery make us less secure? My answer is no, in fact it makes us more secure because a discoveries like this advance the field of security and drive new innovations that ultimately do make us more secure and b because it forces companies to stop using algorithms which are known to be insecure.

More background and interesting reader comments on Bruce Schneier’s blog.


Browsers and secure sites

Monday 3 November 2008

On the web SSL certificates are the common way to verify the owner of the identity of https based website. Compared to older generations the new generation of browsers have a far better support for the display of the amount of trust (or lack thereof) you should place in the owner of the site you are visiting.

Chrome uses a yellow address bar to indicate a valid SSL enabled site:

Firefox does in my opinion an even better job by adding a green logo at the start of the address bar:

IE uses only an yellow icon of a key lock to confirm a secure connection with a SSL enabled site.

Above that IE uses colors to indicate how secure a connection is:


  • White: The certificate has normal validation. This means that communication between your browser and the website is encrypted. The certification authority makes no assertion about the business practices of the website. Sample:
  • Green: The certificate uses extended validation. This means that communication between your browser and website is encrypted and that the certification authority has confirmed the website is owned or operated by a business that is legally organized under the jurisdiction shown in the certificate and on the Security Status bar. The certification authority makes no assertion about the business practices of the website
  • Yellow: The authenticity of the certificate or certification authority that issued it cannot be verified. This might indicate a problem with the certification authority’s website.
  • Red: The certificate is out of date, invalid, or has an error. For more information, see “About Certificate Errors” in Related Topics.


Note that for the colors to work you need the IE Phishing filter turned on, which requires you to send anonymous information to Microsoft while browsing. Mine was off by default. If you turn it on you will see while browsing an extended validated site:

Be aware the when it comes to security a valid SSL certificate only indicates how much you should trust the identity. It does not tell you anything about the amount of trust you should put in the intentions of the site. It would be perfectly possible to fund a company i steal your money Inc, get a valid certificate on get a green bar and walk away with you money if you trust me your money on that site.

Some more reflections on the validity of the greenness in the browser address bar in will firefox have a green bar.