How is SSL hopelessly broken? Let us count the ways • The Register

How is SSL hopelessly broken? Let us count the ways • The Register.

Excellent article discussing the flaws in SSL – mostly problems with Certificate Authorities.The Comments are also worth reading.

However, the deeper problem is that most end users don’t understand the three types of certificates – Domain Validated, Organization Validated, and Extended Validated.

Browsers need to alert consumers to the three types and indicate the low level of trustworthiness of DV certs, Consumers would begin to shy away from sites using DV certs. This would push web sites to use OV and EV certs. Without this, web sites are going to continue to use DV certs.

While this won’t solve all of the SSL problems Dan Goodin identified, I think it would be a big improvement.

Is SSL safe?

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”