In Bruce Schneier‘s March 15, 2003 CRYPTO-GRAM it is persuasively stated what most people dealing with ecommerce and security have had lurking in the back of their heads but never dared say loud and clear out in the open:
Nobody bothers eavesdropping on the communications while it is in transit. Even if SSL were irrevocably broken, it wouldn’t affect Internet security very much. There are two reasons. One, SSL is almost never used in a secure manner. And two, SSL doesn’t solve an important security problem.
Bruce Schneier continues:
SSL establishes a secure channel between a client and a server. In
order for you, the SSL client, to ensure that the channel is secure,
you need to authenticate the server. You can do this by looking at the
SSL certificate (your browser allows you to do this) and making sure
that the server you have established a secure channel with is the one
you want to talk to. My guess is that approximately no one ever does
this. I certainly never do it. This means that you are using SSL to
establish a secure channel with a random person. Imagine you are
sitting in a lightless room with a stranger. You know that your
conversation cannot be eavesdropped on. What secrets are you going to
tell the stranger? Nothing, because you have no idea who he is. SSL
is kind of like that.
SSL solves the security problem of transferring sensitive information
between browsers and webservers. Mostly, I see it used to protect
credit card transactions; people are concerned about hackers stealing
their credit card numbers as they move through the network. By now it
should be obvious that hackers don’t steal credit card numbers one by
one across the network; they steal them in bulk — by the thousands or
even millions — by breaking into poorly protected networks. Many
smaller e-commerce sites don’t use SSL to protect their credit card
transactions, and even there this kind of attack simply doesn’t happen.
I admit that my Reuters quote is a bit of an overstatement. SSL is
used to protect personal information between customers and online banks
or brokerage houses, employees and employers, patients and insurance
companies, etc., but by and large SSL is for show. The real risks to
personal data are the large databases at the endpoints, not the
communications between them. I wouldn’t discard SSL as being
irrelevant, but neither would I worry very much if it could be
attacked. Security is only as strong as the weakest link, and SSL is
nowhere close to being the weakest link.
Leave a Reply