Conclusion on SSL/TLS

17 08 2011

I decided to focus on the SSL and TLS protocols in this blog series rather than any of the other secure communication protocols, as I feel that the secure transportation of browser information is only set for exponential growth, with the pressing requirement of online personal accounts and push of cloud computing, we can all expect to be entering sensitive information online sooner or later.

As you can see SSL and TLS are far from uninfringeable protocols, even after almost 20 years of improvements and revisions, however when compared to other technologies that have been around for that amount of time it has actually proved one of the more robust ones.

Since the protocol was taken over by the Internet Engineering Task Force, flaws such as the redirection attack that was mentioned earlier have often been quickly released. The issue with these flaws is the time it takes venders and administrators to patch their software and sites, leaving users data vulnerable.

In many of the examples that are given around defeating SSL and TLS, it’s not the actual protocols themselves that are allowing this leakage of data. The vulnerabilities that surround these security protocols often have more to do with the worsening certificate ecosystem and user education. This will only worsen unless something is done about growing companies lackadaisical approach to validating users. Due to this slip is validation, the traditional SSL certificate has somewhat been superseded by the Extended Validation (EV) certificate, which is not only more expensive but also requires a set criteria to be followed by the issuer (http://www.cabforum.org/Guidelines_v1_2.pdf) prior to issuing the certificate.

Sites such as Hotmail and Gmail are now starting to become slightly savvier to the SSL and TLS bouncing attacks by starting the user off on encrypted pages to avoid SSL stripping attacks. Also since the release of Firesheep late last year (http://codebutler.github.com/firesheep), a session hijacking tool that prays on users sharing unencrypted Wi-Fi connection, sites such as Facebook and twitter now give users the option to stay ‘HTTPS’ for their entire session (Rice, 2011).

There are always new efforts arising to increase the security of the SSL & TLS protocols. However these will only ever be additional steps that are added to the existing network model, to satisfy this growing need to secure data over a system that was never designed for this kind of traffic. The latest version of TLS, 1.2 however has been designed in such a way that it will most likely be in use for some time to come.

Advertisements

Actions

Information

One response

11 08 2014
Johnd265

Thanks for the sensible critique. Me &amp my neighbor were just preparing to do a little research about this. We got a grab a book from our area library but I think I learned more clear from this post. I am very glad to see such wonderful info being shared freely out there. bfdbdekggdde

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: