SSL encryption is no cure for insecure software. - Information Security Magazine - Page 1

Perspectives: SSL No Security Blanket

Encryption cannot patch the holes created by insecure software.


Security practitioners love SSL, and with good reason. It is well designed with support for multiple encryption protocols, and is easily reconfigured in case any should get cracked or outdated. It is an incredibly useful tool, protecting transactions as they cross otherwise insecure channels such as the Internet. It's also great for certificate-based bilateral authentication, provided of course you actually have the cash and personnel resources to maintain it.

If anything, SSL is too well implemented, and people think it covers all their needs, like a giant security blanket. They forget there is much more to security than just using SSL.

Gene Spafford famously once said, "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." He's still right today.

Although operating systems are more secure than they were 10 years ago, and we are much better at patching them, that isn't sufficient. Dan Geer recently released an extensive paper on trends in the information security industry. Using data from the National Vulnerability Database, he quantitatively showed what we already had intuited: Attackers have moved to targeting applications with great

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

success, exploiting cross-site scripting and SQL injection vulnerabilities by the boatload.

Despite what we know and what industry leaders like Microsoft and Oracle have done to make their products more secure, the software industry just doesn't seem to get it. While some Web-based applications display badges from services like Hacker Safe, which actually test for vulnerabilities, these sites are few.

If you look at the average Web-based application, you're lucky if there's a reference in the vendor's privacy policy about use of SSL or a cute badge advertising its SSL vendor. While it is gratifying to know the risk of someone sniffing my credit card number is effectively zero when using a particular Web site, this unfortunately doesn't tell me a single useful thing about the security of the application, and odds are, the security is poor.

This was first published in February 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top