03.26.07

SSL == Useless

Posted in IT, Security at 2:25 pm by Tyler Reguly

Pete Lindstrom posted over on the Spire Security Viewpoint asking, and answering, the question "Has SSL Outlived it's Usefulness". He made the following four statements:

1) Users read way too much into its functional value.

2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case.

3) If you are going to compromise some device, you might as well compromised the host and not some intermediate device.

4) The bad guys are now leveraging SSL more and more to shield their activities from good guy sniffers.

This was responded to by Dave G. on the Matasano Blog.

I actually find it to be in interesting topic... Right off the bat one could point out that SSL has evolved, becoming Extended Validation SSL, which is quite useful as phishing protection.

I would also respond to Pete's initial four points:

1. SSL is advertised as some end-all-security solution in a lot of cases... This isn't SSL's fault, plenty of security solutions are advertised this way and accepted as operating this way... The truth is that a multi-tiered approach is the only way security will work. SSL is one of those tiers.
2. I think the problem is this is the assumption that we're talking about only the Internet here... As far as I'm concerned SSL is much more useful in intranet type settings. A college residence, a public hotspot, a large conference where they display usernames and passwords on an updating board. This is where SSL really shines in my opinion.
3. So you trust the ISP and every hop between yourself and the website you're accessing? I find that to be a lot to ask... Also.. an attacker might not have access to the client or server... Accessing an Internet facing gateway might be a much more viable option.
4. If you have a company with this problem, there are ways to defend against that. You essentially turn your IDS into an SSL MITM box. I'm sure there are plenty of corporate solutions that I'm not aware of but DeleGate is one example of software that will allow you to setup an HTTPS - HTTP - HTTPS proxy, allowing you to sniff during that HTTP step.

In the end I would argue that:

1. SSL has always been useful
2. SSL has definitely not outlived it's usefulness.

Pete finished off his post by saying, "Sure, it is needed nowadays for basic authentication protection, but we really shouldn't be using userid/password pairs in clear text anyway." This is a topic that has always interested me... A lot of people say, "You shouldn't send your plain text username and password." They then turn around and create a hash which they pass to the web server. That hash if sniffed, can be replayed to the server and used for authentication. This is a common flaw that exists in a lot of the development I see from web developers. Sure there are better ways to do it, and a lot of people implement them, but many people don't. So stating that you "shouldn't be using userid/password pairs in clear text anyway" isn't enough... this makes people assume that a simple hash of the password is safe... and it isn't.

Permalink