“Change is a challenge and an opportunity, not a threat”, – (words coined by Prince Philip,Duke of Edinburgh) And readers Iam just yelling up on the Cyber security threats revolving frequently against SSL, as It normally compel the Cyber Experts to accept frequent challenges.
Recently in October 14 the web world witnessed yet another Internet bug that threatens to make your private conversations public. The new enemy: “Poodle” attacks.Previous attacks like Heartbleed and Shellshock allowed hacks against servers while POODLE allows hacking clients (your web-browsers) .
“My browser outputs the padlock and voila… I am secure” , Is it So ? Do you get my point ? Of course you do , Most of You will be familiar with the padlock icon to indicate the connection is secure while we visit a secured site as it highlights the ‘https’ text in green. But those green indicator have already blown up the several organizations security strategies.
What is SSL/TLS ? (A Roll back into it’s basics)
The TLS (Transport Layer Security) protocol and its predecessor, the SSL (Secure Sockets Layer) protocol, are a core part of HTTPS (Hypertext Transfer Protocol Secure), the primary method of securing communications on the Web. SSL is probably the most important security protocol on the Internet. We mostly refer to SSL by the dual moniker SSL/TLS, since the protocol suite known as Secure Sockets Layer was upgraded and renamed to Transport Layer Security back in 1999.
SSL/TLS Version History
- SSL 1.0: Dates back to the early 90s and was never publicly released (originally developed by Netscape)
- SSL 2.0: From 1995 and met a need in a rapidly emerging web world, but was rather buggy
- SSL 3.0: Launched in ‘96 and solved a bunch of issues from 2.0 via a complete redesign
- TLS 1.0: Came into being in ‘99 and was an evolutionary improvement on SSL, albeit one without interoperability
- TLS 1.1: RFC from 2006 and contains various defences against attacks on earlier versions
- TLS 1.2: This time from ‘08 with a bunch of features to strengthen the cryptographic implementation.
The DTLS (Datagram Transport Layer Security) protocol is based on TLS and used for encrypting connections between applications that communicate over UDP (User Datagram Protocol).The comparison of TLS implementations could be viewed at Comparison_of_TLS_implementations
Is there a Bad SSL Certificate?
SSL users can also get help through a recently started SSL Blacklist , an online and downloadable resource of SSL certificates associated with malware or botnet activities.
How a Normal SSL or Man – In – Middle Attacks works ?
Say the connection between your browser and the destination server at the URL you’re visiting is supposed to be encrypted. But due to the fact the certain types of SSL certificates (which help handle the encryption) can be forged, an attacker could set up their fake server that pretends to the be the real destination server, and thus insert themselves in the middle of the connection. When that is done, the attacker has control over the connection and the data, and can thus decrypt your data, manipulate it, and/or pass it on to the real intended destination server.
Does SSL Matters?
Yes it’s now white clear with the recent PODDLE – ( Padding Oracle On Downgraded Legacy Encryption ) attack [CVE-2014-3566], SSL got poked again which intruded and created a gap hole in several organizations security strategy.Even with a trusted SSL connection the SSL attacks could gain administrator access to cloud servers. You could view the vulnerabilities reported recently via OpenSSL [OpenSSL is an open-source implementation of the SSL and TLS protocols.] .Though Transport Layer Security (TLS) has taken over it’s predecessor SSL ,still globally SSL is widely used.
To an extend with the PODDLE attacks reported, firmly resulted SSL3 as almost a dead face ,and it seems that browser vendors are not interested in that approach. Firefox said they would disable SSL 3 in Firefox 34. Google now plans to remove SSL 3.0 altogether from its client software, including the Chrome browser, in the coming months.
Research Exposes the Gaping hole
A POODLE attack could use techniques similar to those used in the BEAST attacks (Browser Exploit Against SSL TLS-This attack was revealed at the Ekoparty Security Conference in 2011) to implement man-in-the-middle type attacks and intercept session cookies used to log on to web mail and other online accounts, so the attacker can access the encrypted data.
Prior to the POODLE Attack was the Heartbleed vulnerability in OpenSSL— (around from 2011) —is in use in nearly 20% of the world’s web servers. These numbers ironically exposes the impact of a single vulnerability has on all organizations when keys and certificates are exposed. You could view the SSL pulse rate , [a project created by Qualys to monitor the quality of SSL/TLS support across the Web].
Another attack that had global impact was the the Mask APT operators ( identified as “one of the most advanced threats” ) Compromising a rampage on organizations. The most funny (ironical) thing was it was around 7 years, Mask attacks went undiscovered, stealing credentials such as SSL, VPN, and SSH cryptographic keys and digital certificates.
About 25 to 30% of all Enterprise Network Traffic is encrypted with SSL/TLS currently. According to Gartner [ the world’s leading information technology research and advisory company] SSL traffic will grow 25% every year. While FireEye, Inc. (Cyber Security & Malware Protection Inc.) upon analysing the most downloaded free apps in Google Play,confirmed that nearly 68 percent were impacted by secure sockets layer (SSL) vulnerabilities.These popular apps allow an attacker to intercept data exchanged between the Android device and a remote server.
New Approaches : Keyless SSL
Cloud security vendor CloudFlare is out recently with a new technology approach called Keyless SSL that aims to overcome a key barrier to organizations’ adoption of the cloud.CloudFlare provides a cloud-based security service that can protect organizations against multiple forms of attack, including large-scale distributed denial-of-service (DDoS) attacks. More at Keyless SSL
Alternatives to SSL?
Partially we have to admit the efforts employed by SSL Developers , though the SSL security involve decreasing risks , lots of enhancements and improvements are being made in the SSL/TLS protocols (servers and client systems ) to protect and reduce the impact of vulnerabilities and exploits. Mostly the packages included by operating system and application vendors to manage and support SSL and its supporting systems have been drastically improved.Also most security vendors and experts indicates that POODLE attack brings some positive changes too as it has sounded the death knell for the older version of the SSL protocol for encrypted communications.
If you reached at this point under this article , readers , definitely I have a query to you : If SSL is “broken”, is there a technology that replace it and be more effective? Is there a more secure alternative? Do you have any predictions for what the next generation of online security might be?