Thursday, July 16, 2009

Is SSL broken?

I was reading Network World and for a very brief moment was alarmed to learn that SSL is not secure and that Tim Greene recommends (or is he quoting the researchers opinion?) that people should not use public wifi even for SSL-safe browsing.

[Network World article says "SSL VPN..." although the threat if real should apply to non-VPN uses of SSL as well and the examples cited are for online banking and most people won't call an SSL connection to their bank an SSL VPN. SSL VPN is the extension on an "intranet" over the internet using SSL to secure it]

Then I found the this article that seems to have slightly more data. I havn't seen the demonstration but I have a suspicion that this is much ado about nothing. It seems the flaw is that if parts of the page are EV SSL and other parts are not EV SSL the browser does not complain as long as the domain is the same. (The part is bold is my assumption but if it is true, there is nothing to worry about. If my assumption is not true all hell will break loose, public Wifi or not!). I think all parts are not EV SSL because the site owner did not want to shell out extra money for EV SSL certificates for every sub-domain. This makes sense, because EV SSL is pretty much useless and I don't understand why the website got an EV SSL certificate at all!

If you read this and know that my assumption above is false, please comment and let me know. I should stop using the internet!

Update 3.11pm: Found the abstract here:

[scroll down to find "Alexander Sotirov, Mike Zusman
Breaking the security myths of Extended Validation SSL Certificates" ]

My assumption is valid. SSL is still secure. Their point is that EV SSL is not more secure than cheapo SSL.

"Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate"

We already know that is true...this is one more reason and makes it "truer", if that is possible :-)

1 comment:

ssl247 said...

Yes, I can see where you are coming from with your summise.