By David E. Stern, CISSP
For those born in the last 30 years, it is impossible to relate to the fear of nuclear holocaust that was so pervasive in the darkest hours of the cold war. The government embarked on an educational campaign to teach people to duck under a desk and cover their eyes upon sensing the first light of an atomic flash. Despite the fact that duck and cover wasn’t going to keep an atomic fireball at bay, it gave society a sense of hope so that they could live productively.
In my opinion, SSL is our generation’s “duck and cover.” We educate the masses that a site is secure if that “little lock” is present. In a virulent Internet environment rife with danger, we put our faith in SSL so that the e-commerce engine can chug along.
To understand the advantages of SSL, we first must explore some basic concepts of trust. When walking through an unfamiliar neighborhood on a hot day, Pat wouldn’t think twice about buying a cold drink from a seedy corner bodega. The risks associated with making a small purchase from an unfamiliar merchant is relatively small. For opposite reasons, Pat would probably not purchase an HDTV from a corner electronics store in the same neighborhood. However, if a trusted friend directed Pat to the same corner electronics store, vouching for a particular salesperson, the outcome would be much different. The store is the same, the merchandise is the same, but in the latter case, the element of trust changes the outcome.
The same paradigm applies to ecommerce. Consumers are expected to navigate to an abstract entity known as a website, select items that they cannot touch, and provide payment information to a machine that they cannot see. To make this work, an element of trust needed to be introduced.
SSL security starts with a trusted 3rd party who vouches for a website. The 3rd party uses a process whereby they validate that the website and the Internet space that it occupies, is actually what it claims to be (more on this later). The 3rd party then uses cryptographic means to generate a “certificate” that is given to the website for presentation to its visitors. A web browser will compare the information in the certificate with the website itself to determine if there is a match. While Pat may not know the owner of the website, Pat knows that the 3rd party is trustworthy and vouches for the website. The same cryptographic mechanism can also be used to encrypt whatever information passes from the user to the website.
The ability to generate certificates is not restricted to trusted 3rd parties. Anyone can create a certificate and present it on their website. If a user navigates online to the equivalent of an unfamiliar, seedy corner electronics store they will be presented with a certificate and their transactions will be encrypted. But if the certificate wasn’t generated by a trusted party, then there really isn’t any security at all.
The problem is compounded by the loosening of the issuer’s domain verification processes. Many issuers will validate a domain based on the most basic registrar information instead of a more thorough review of their physical and financial veracity.
Herein lays the problem. The average online consumer does not understand the nuances of web trust models. In fact, the average online consumer doesn’t even read the popup box generated by the browser warning that the certificate is invalid. Phishers (purveyors of fake websites designed to trick a user into sharing their most trusted online passwords) are so successful because the victims aren’t educated to check the certificate credentials. We have trained the masses to trust SSL, and now that trust is used against them.
A somewhat effective solution has recently started to appear in the latest versions of web browsers. Recognizing the “click through” culture of Internet users, Internet Explorer and Firefox web browsers now prominently display warnings about bad certificates. In fact, a user must really try hard to ignore the warnings.
To shore up the trustworthiness of SSL certificates, a new type of SSL certificate has been developed called an Extended Validation Certificate. With an EVC, an issuer verifies the legal, operational, and physical identity of a certificate requestor. Newer versions of web browsers can indicate if an EVC is being used.
As with most security issues, user awareness is the most effective way to solve this problem. A person who wouldn’t think twice about using a funky ATM machine in the middle of a dangerous neighborhood should also think twice about making online transactions with unfamiliar websites.
Trust is something that cannot be protected by a firewall or scanned for vulnerabilities. Because there are limits to technology’s ability to represent trust in a manner that can be protected, the ultimate protection scheme lies in the human brain.