SSL: Still Secure When Configured Correctly
The Secure Socket Layer (SSL ) protocol is under attack: in recent months, a succession of vulnerabilities and successful breaches have raised questions about the effectiveness of this ubiquitous security standard. The emergence of DROWN (Decrypting RSA with Obsolete and Weakened Encryption) in early March 2016 may have finally forced IT admins to take action.
The fact that so many attacks are now focused on SSL is more important than you might think.
SSL and its successor, TLS (Transport Layer Security), are responsible for securing a whole range of Internet services. For example, most email and FTP clients support SSL/TLS. And for VPNs based on SSL such security breaches are totally unacceptable.
It is hardly surprising that there are so many issues. SSL was developed by Netscape programmers during the nineties while working on Mosaic, the first Internet browser designed for mass web surfing. In those days security as a concept was completely different from what it is today. This, alongside market release pressures, resulted in SSL emerging as a fairly simple protocol.
Early attacks on SSL were focused on Certificate Authorities (CA) authentication. However, attackers have set their sights on this protocol and its implementation for many years now. DROWN is merely the latest example in a long list of vulnerabilities that have also included Heartbleed, Poodle and Beast.
The biggest change has been the technical capability available to cybercriminals to unearth new vulnerabilities. Twenty years ago the computational power of something like Amazon’s S3 cloud service was only possible for national governments to leverage. It was far out of the reach of the average cybercriminal who were themeselves much less sophisticated than their modern counterparts.
The problem is unlikely to go away, at least until TLS 1.3 is introduced across the board. For now, a patch or settings adjustment is usually available for all known vulnerabilities. Aside from this it is recommended that users stick to the same best practices as they would for any other Internet service. Basic encryption and protocol versions should be set to the highest possible level. Finally, ensure the operating system is hardened and limited only to the most essential hosted services.