Some Thoughts on SSL Security


I thought of sharing my thoughts on SSL as this is something that has been in the headlines recently. There are a lot of great things about SSL in terms of security. However, it is also important to learn about the weaknesses of SSL.

SSL encryption provides a mechanism for a web server and a web browser to exchange data via an encrypted “tunnel”. They do this by a secure exchange of encryption details.
• The client requests information from the web server via SSL
• The server replies with its digital certificate and encryption preferences. The certificate includes a public key.
• The client generates a session key which it then encrypts using the server’s public key. This is sent to the server.
• The server uses its private key to decrypt the session key.
• The client and server both now have the session key, and this is used to encrypt all data exchanged in both directions for the rest of the session.
• In addition, each packet is signed to ensure that no tampering takes place.
SSL provides Authentication – using a “web of trust” model. If you visit my employer’s SSL based websites then you / your browser decides to trust us based on the following:
• Our server obtains a certificate from a trusted “root certificate authority”.
• The root CA should take steps to verify that someone who applies for a certificate is who they claim to be. This should involve actual investigation of the business, checking details of registered companies, and the like.
• Your browser has certificates from these root CAs. When it receives a certificate from a server, it checks its own records for a corresponding “root CA” certificate.
• It uses this to ensure that the certificate just presented to it is legitimate.
• In other words, you trust me because “Honest John’s certificates” says that I am who I claim to be, and you have decided that you trust Honest John.
• Now are you sure that you really trust Honest John? Are you sure that he really verified my claims?
• Are you sure you trust your web browser? The most likely scenario is that the certificates in use will be pre-loaded by the browser developers, not hand picked by you.

SSL vulnerability has been exposed recently hence the need to be educated regarding this so that you can patch up some of the vulnerabilities.

As an exercise for the reader, where do you think this model breaks down to allow the “break” described below and elsewhere?