LOGO

HTTPS and SSL Security Problems: 5 Serious Issues

February 13, 2014
Topics:FeaturesExplainersCloud & Internet
HTTPS and SSL Security Problems: 5 Serious Issues

Understanding HTTPS and SSL Security

HTTPS, leveraging SSL (Secure Sockets Layer) technology, is designed to establish both identity verification and a secure connection.

This ensures users are interacting with the intended website and that communications remain private, shielded from potential interception.

The Reality of SSL Implementation

While conceptually sound, the practical application of SSL on the internet is often complex and presents various challenges.

The current state of affairs can be described as somewhat disorganized, despite the best intentions of the underlying technology.

The Value of HTTPS Remains

It’s important to note that HTTPS and SSL encryption are not without merit; they represent a significant improvement over unencrypted HTTP connections.

Even when vulnerabilities exist, a compromised HTTPS connection generally offers a level of security equivalent to, or better than, a standard HTTP connection.

Key Benefits of Secure Connections

  • Identity Assurance: Confirms the authenticity of the website.
  • Data Encryption: Protects information transmitted between the user and the server.
  • Improved Security: Offers a more secure browsing experience compared to HTTP.

Therefore, while imperfections exist, utilizing HTTPS remains a crucial step in maintaining online security.

The benefits of encrypted communication consistently outweigh the risks associated with relying on unencrypted protocols.

The Extensive Landscape of Certificate Authorities

Related: Understanding HTTPS and Its Importance

Web browsers maintain an internal directory of certificate authorities they deem trustworthy. Certificates originating from sources outside this list are not considered valid by the browser. When connecting to a secure site like https://example.com, the server presents an SSL certificate. Your browser then verifies that this certificate is legitimately issued for example.com by a recognized certificate authority.

A significant challenge arises from the sheer volume of certificate authorities in operation. Security breaches or fraudulent activity at a single authority can have widespread repercussions. For instance, while you may have obtained an SSL certificate for your domain through VeriSign, a malicious actor could potentially exploit vulnerabilities at another authority to acquire a certificate for the same domain.

5-serious-problems-with-https-and-ssl-security-on-the-web-1.jpg

The Historical Lack of Trust in Certificate Authorities

Certificate Authorities (CAs) haven't consistently fostered a sense of security. This is particularly relevant when considering how browsers authenticate website identities and defend against malicious impersonation attempts.

Research indicates that certain CAs have neglected even basic verification procedures during certificate issuance. Instances include the provision of SSL certificates for address types that inherently shouldn't require them, such as "localhost," which exclusively designates the user's own machine.

In 2011, the Electronic Frontier Foundation (EFF) discovered over 2,000 certificates for "localhost" that had been legitimately issued by established and trusted CAs.

Given the frequency with which trusted CAs have issued certificates without initial address validation, legitimate concerns arise regarding other potential oversights. It's plausible that unauthorized certificates for websites may have been mistakenly granted to malicious actors.

Extended Validation certificates (EV certificates) represent an effort to address these vulnerabilities. Previous discussions have detailed the inherent issues with standard SSL certificates and how EV certificates aim to mitigate them.

These attempts to improve security are crucial for maintaining user trust online.

The Potential for Coerced Certificate Issuance

The proliferation of certificate authorities (CAs) globally presents a security vulnerability. Given that numerous CAs operate internationally, any one possesses the capability to generate a certificate for any domain. This creates a scenario where governments might legally force CAs to issue SSL certificates for websites, enabling malicious impersonation.

A recent incident in France illustrates this risk. Google detected an unauthorized certificate for google.com, issued by the French CA, ANSSI. Possession of this certificate would have facilitated man-in-the-middle attacks by allowing the impersonation of Google’s legitimate website.

ANSSI asserted the certificate was confined to a private network for internal monitoring purposes, and not utilized by the French government for external interception. However, even this justification represents a breach of ANSSI’s established certificate issuance protocols.

Implications of the ANSSI Incident

The ANSSI case highlights a critical flaw in the current SSL/TLS ecosystem. The ability of a government to compel a CA to issue a fraudulent certificate undermines the trust inherent in the system.

This situation raises concerns about the potential for widespread surveillance and censorship. If governments can routinely obtain certificates for any website, secure communication becomes significantly compromised.

  • Compromised Trust: The foundation of secure web browsing relies on trust in CAs.
  • Increased Surveillance: Unauthorized certificates enable interception of sensitive data.
  • Censorship Potential: Impersonation allows for the manipulation of online content.

Ultimately, the incident underscores the need for greater oversight and accountability within the certificate authority landscape. Strengthening security measures and establishing clearer guidelines are essential to protect against governmental overreach and maintain the integrity of the internet.

The Limited Adoption of Perfect Forward Secrecy

A significant number of websites currently do not implement perfect forward secrecy (PFS), a crucial security measure designed to enhance encryption resilience. The absence of PFS introduces a vulnerability where compromised encryption can be retroactively broken with a single key.

Intelligence agencies, such as the NSA and similar organizations globally, are known to intercept and store vast quantities of encrypted internet traffic. Should these agencies obtain the encryption key utilized by a website, all previously captured communications between that site and its users become accessible.

How Perfect Forward Secrecy Enhances Security

Perfect forward secrecy mitigates this risk by establishing a unique encryption key for each individual connection session. This means that each communication is secured with a distinct secret, preventing a single key compromise from unlocking all past data.

Consequently, even if an attacker were to gain access to a session key, they would be unable to decrypt other sessions encrypted with different keys. This limits the scope of potential data breaches.

The Implications of Widespread Non-Adoption

Despite its benefits, PFS remains underutilized across the web. This widespread lack of implementation increases the probability that state-sponsored actors could successfully decrypt substantial amounts of archived encrypted data in the future.

The potential for retroactive decryption underscores the importance of broader adoption of perfect forward secrecy to safeguard user privacy and data security.

Man-in-the-Middle Attacks and the Role of Unicode Characters

Related: Understanding the Risks of Public Wi-Fi Networks, Even with Encrypted Connections

Despite the security offered by SSL, man-in-the-middle attacks remain a potential threat. Theoretically, accessing a bank's website over HTTPS on a public Wi-Fi network should be secure. The HTTPS connection is designed to verify the authenticity of the connection.

However, connecting to your bank’s website via public Wi-Fi can still present dangers. Readily available tools allow malicious actors to create hotspots that execute man-in-the-middle attacks on unsuspecting users. A deceptive hotspot might establish a connection to the bank on your behalf, intercepting and relaying data.

Furthermore, attackers can employ "homograph-similar HTTPS addresses." These addresses visually mimic legitimate ones, but utilize subtle Unicode characters to create a difference. This technique is known as an internationalized domain name homograph attack. A closer examination of the Unicode character set reveals characters that closely resemble standard Latin alphabet letters.

The potential for deception exists; the 'o's in a seemingly familiar domain like google.com might actually be visually similar, yet distinct, characters.

We previously explored these risks in greater detail when discussing the vulnerabilities of public Wi-Fi hotspots.

5-serious-problems-with-https-and-ssl-security-on-the-web-4.jpg

Generally, HTTPS functions effectively. Encountering a sophisticated man-in-the-middle attack while casually using a coffee shop's Wi-Fi is improbable. The crucial takeaway is that HTTPS isn't without its vulnerabilities.

Many users place implicit trust in HTTPS without realizing its limitations, and it is not a foolproof security measure.

Image Credit: Sarah Joy

#HTTPS#SSL#security#web security#SSL vulnerabilities#HTTPS problems