Saturday, January 3, 2009

SSL vulnerabilities and user education

Every couple of weeks a new exploit or vulnerability manages to get the attention of the press. Perhaps it was the slow holiday news cycle that led to the multiple articles claiming "SSL Broken!

Let me first confess that I haven't read through all the details, or even most of the details, of this research. Like almost everyone else, I have read summaries. We live in a reputation based world, and the fact that Arjen Lenstra's name is on the paper leads me to believe that the technical details are sound. They are claiming that they have forged certificates based on MD5. Ummm, okay - but how important is this?

SSL certificates obviously serve some purpose - otherwise Verisign, Thawte, and the like would be out of business. But the importance of certificates lies less in their cryptographic strength and more in the process they establish for clients to connect to servers. Money can be forged, checks can be forged, and of course most significantly hand written signatures can be forged.In 2009, for better or for worse, we still live in a society where most large scale real estate transactions still require a notary's seal right out of the Middle Ages (a few weeks back a newspaper in New York managed to forge their way into buying the Empire State Building). Almost every day-to-day business transaction is vulnerable to fraud when confronted by a motivated criminal. So why the fuss about the SSL certificates?

There is a simple reason the SSL news made it from the crowded security conference circuit and appeared fleetingly in the MSM. Users have been conditioned to believe that https means secure and that everything is OK as long as they see that little yellow pad lock. I recently saw a Verisign marketing video where they interviewed a bunch of people on the street and asked them what measures they take to protect themselves online. In this very unscientific survey a large number of respondents answered that they look for the little yellow lock that indicates SSL encryption.

It's pretty amazing that the average person on the street knows (kind of) what SSL encryption is, and has somehow been conditioned to look for the little yellow lock. Now of course an https enabled site is obviously more secure than an http site. Someone could theoretically be sniffing traffic, get your credit card number, and use it for dark and nefarious purposes. But is this the main threat facing users? How much fraud has actually occurred as a result of someone going onto an unencrypted site and a criminal sniffing that traffic?

Unfortunately there is very little data on this, and it is the kind of statistic that may be inherently immeasurable. But I am willing to venture a guess here - your online risk from sending your data unencrypted is dwarfed by your risk of generally sharing your data with a large number of entities on the Internet (and many others have commented on the fact that the real risk is not data in transit but data at rest). And your risk of giving your data to a site that you would have otherwise avoided because of a browser warning is even smaller. Do you know anybody who still pays attention to browser certificate warnings?

Expecting users to be able to make decisions about certificates is rooted in the absurd notion that the average user is capable of being their own sys admin. It reminds me a bit of the whole discussion around identity theft. Instead of telling people that they should limit the number of entities that they do business with (you do not need to have a credit card or reward members card from every company you have ever bought something from), we end up with convoluted advice about monitoring credit. Which leads to an entire industry of credit monitors gathering even more data...

But I digress. Let's get back to user education. User behavior is very very tricky business, as any marketing professional will tell you. As security professionals we are always calling for technology neutral laws. User education should for the most part be technology neutral as well. Forget the little yellow boxes and green browser bars and the like. The real message should be

1)  Use common sense,
2) Separate your online identity from your online fun. Try to use different computers/browsers/accounts for your business and purely personal browsing.
3) Don't run and install too much stuff on your computer
4) Don't have too many things on your computer at the same time (it is amazing how many web based attacks can be prevented by closing all your browsers before you buy online)
5) Don't give away personal information on the web when you don't need to
6) And again, use common sense.


No comments:

Post a Comment