« Fresh Internet SSL Survey results (April 2011) available | Main | So, what really breaks SSL? »

May 25, 2011

A study of what really breaks SSL

Earlier this year, we at SSL Labs conducted a second, much deeper survey of SSL usage. (I can now say "we" and really mean it, because most of the work on the survey was done by my Qualys coleague, Michael Small.) I presented the results last week at Hack In the Box Amsterdam:

We love security metrics because they tell us what really goes on out there. Last year we conducted an analysis of millions of SSL servers, showing, for the first time, how SSL is really used. This year we are pushing our study further by deepening and expending our efforts in several key areas. We will be looking at the problems that really break SSL — insecure session cookies, mixed content, incorrect site configuration, and distribution of trust to third-party sites. The best crypto in the world is not going to help a site that has flaws in these critical areas.

To discover these flaws we are building a custom site crawler, which we are then going to run against the world’s 1 million most used web sites. In addition to all that, we are expanding the scope of the study to include protocols other than HTTP, as well as basing our assessment on an updated version of the rating guide. The end result? We are finally going to find out how useful SSL really is.

Get the slides here:

Posted by Ivan Ristić at 15:20:32 in SSL

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54fd889f28834014e88a9003d970d

Listed below are links to weblogs that reference A study of what really breaks SSL:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

within the slides(slide 27, I haven't seen the presentation) it says:
"Sites without redirection are easily exploitable via sslstrip or Firesheep"

I beg to differ if redirection =HTTP->HTTPS: with or without redirection sslstrip can easily "exploit" them.
in fact one can have a HTTPS only site(no plain HTTP) and users will still be easily "exploited" if they do not type https:// or use HSTS with a pre-loaded list or so.
from a technical point of view redirection(HTTP->HTTPS) is pretty bad for a way of using SSL. unfortunately will stay for a while...

Cheers!
Adrian

Posted by: adrian | May 26, 2011 at 09:17 PM

Adrian,

My point was that the sites without redirection are clearly easily exploitable. Those with redirection may be exploitable too, but it's not going to be as easy. For example, if you always redirect to SSL, the users are going to bookmark the SSL pages and go to them directly in the future.

At the end of the day, the only way to be reasonably secure is to use HSTS with a long-term expiry time.

Posted by: Ivan Ristic | May 27, 2011 at 11:36 AM

The comments to this entry are closed.

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS