Is SSL safe?

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”