« Announcing SSL Pulse | Main | ModSecurity and ModSecurity Core Rule Set Multipart Bypasses »

My Infosecurity London 2012 SSL Panel Notes

May 23, 2012

Last month, GlobalSign invited me to participate on an SSL Panel at Infosecurity London. Other participants were David Holmes (F5), Ryan Hurst (GlobalSign), and Steve Roylance (GlobalSign, moderator). These are my rough notes. I hope you will find them interesting.

Can you tell us about yourself and why you’re here?

In 2009 I quit my job (because I had become bored), and I decided to work on something I can be passionate about. As it happens, that something was SSL. I had discovered SSL a few years before, while working on my book Apache Security, and always wanted to go back to it, to research it in more detail. To my dismay, I discovered that SSL, arguably the most important security protocol on the planet, is poorly documented, difficult to configure correctly, and that there are no tools to test SSL configurations. That's when SSL Labs was born. Today, SSL Labs offers the best assessment platform and for free. In the past 2 years we've conducted several large-scale surveys of public SSL implementation in an effort to understand exactly where we are, when it comes to the security of the Web.

Talk to us about your perspective on the last two years and the breaches at third-party trust providers?

I think that, in the last 2 years we learned that security is not static. It's not something you work on, and then leave it behind. You know, SSL was designed in 1994, and, today, in 2012, remains essentially the same, conceptually. In the meantime, we saw the Web evolve, and evolve around SSL. The threat model of today is vastly different to the threat model of 1994. Eighteen years! So we dropped the ball. But I think that's actually how things work, for us humans. We don't think about security while it's not a problem. As a result of that, security it becomes a real problem eventually, and then we start to think about it. It's a cycle; a never-ending cycle.

How would you describe the current situation of Public Trust on the Internet?

It's not as bad as it seems. I think that, practically speaking, our biggest problem is not that we have too many CAs, but that we cannot yet build secure systems. The events from the last two years made us realise that any system can be broken into, and -- surprise, surprise -- even the CAs. Once you accept that, the obvious problem with Public Trust is that any one CA can create a certificate for any web site. Site owner's permission is not even required. I am hopeful that that will be fixed with a new standard  supporting public key pinning. Then, site owners will be able to say which CAs can issue certificates for their web sites.

Why aren’t Extended Validation certificates saving us now?

You know, back in the day, all certificates used to be "EV". I remember very well jumping through many hoops to get a certificate -- so long ago I don't even remember what year it was. I don't think that many people realise that, prior to EV certs, there wasn't a standard for certificate issuance. Today, there isn't a standard for non-EV certificae issuance [we may get one officially any time now]. So I welcome EV certificates, because they connect your online presence to your off-line identity. That's great, if you need it or if you want it. At the same time, DV certificates are getting cheaper, which is how it should be. The basic security of the communication channel should be available to everyone.

What is your take on the recent advances in cryptographic and protocol focused attacks?

The recent attacks against SSL are a sign of protocol maturity. The reality is that we are not smart enough to foresee all problems when we're designing protocols. So the only way to arrive at something that is secure, is to give it our best shot, start to use it, and fix it as problems are discovered. The recent attacks against SSL demonstrate that people are looking at SSL, and that's a great thing. That means that we're improving. The sky is not falling; but please don't tell everyone. I don't mind the sensational headlines, because they get people's attention. Without the headlines -- without fear -- we wouldn't be able to improve security in the same way. For example, about 75% of all SSL sites are vulnerable to the BEAST attack. I wouldn't mind seeing a sensationalist headline scaring everyone to improve their configuration. The reality is that we need more headlines and more working exploits. How CISO’s should approach trust providers and risk? Choose a CA that you can trust, and a company for which certificate issuance is a significant business (revenue stream). Most of the risk is in-house, in which how you manage your certificates, configure your SSL servers, and implement your applications.

If you were to sit down with an IT manager today and talk to them about his biggest risks relating to SSL what would you tell them?

The biggest SSL-related risk is at the application layer. Your SSL server may be misconfigured today, but you can fix that very quickly. We have people testing themselves using our online assessment tool, getting a bad grade, improving their configuration and even getting a new certificate, just an hour later. And, to be honest, no one is attacking SSL directly. The real risk lies in the application layer, when applications use features that completely subvert SSL. It's like SSL isn't there. We conducted a deep survey of these issues last yar (in the most popular web sites), and the conclusion was that most sites are vulnerable, and SSL effectively useless. I have a lot of hope for declarative security measures. For example, HTTP Strict Transport Security is an emerging standard where you can declare that your application/site uses only SSL (never plain-text HTTP). That means that, even if your application contains implementation errors, you remain secure. I also have a lot of hope for new protocols, which will include SSL as a mandatory component. Eventually, we will migrate to an Internet that is 100% encrypted. I hope.

What do you think is the future of Public Trust?

Realistically speaking, I think we will stay pretty much where we are. Public Key Pinning will remove the most obvious problem. To change anything else -- that's too much work for anyone's taste. I would very much like to see browsers incorporate some elements of crowd-source (Covergence-style) trust for those who understand it. Password-based SSL authentication could be interesting.

What changes are being proposed to augment existing security technologies and how these changes may affect the industry?

We've seen many proposals, but not all of them are equally easy to implement. For example, there's DNSSEC that implements a secure DNS, and DANE, which is a bridge between secure DNS and PKI. Because there is no doubt that we need a secure DNS, I have no doubt that DNSSEC will be widely deployed, eventually (it will take a few years). In the meantime, low-effort proposals, such as HSTS and Public Key Pinning, are likely to become practical. Technically speaking, other proposals can become reality, too, but they require a lot of lobbying and involve a lot of politics.

What do you think about DNSSEC and DANE?

There's one aspect of DANE that I am not sure about, and that's the ability to have valid certificates without CAs. It's not that I like CAs very much, but we forget that the PKI infrastructure was designed to be independent of DNS. And, with DNSSEC, we will revert to only one trust root -- that in the DNS. On the other hand, everyone deserves basic security, and that's something DNSSEC will most certainly achieve. The biggest problem is that with current CA-based ecosystem or with DNSSEC, site owners have no say.

What are the biggest problems of the security industry?

Our biggest problem is in having the security industry in the first place. Security is the business of the developers (used here in a wider sense, to mean those who implement things.) We have the security industry today only because those who are implementing our systems are not building security in. And that's our biggest problem. It's only when the economics of secure development improve that we are going to see substantial improvement in security. Apart from that, our biggest problem is complacency. For example, the CAs, who were (and are) getting serious money from issuing certificates, could have stayed on top of things. The could have tracked the threat model and reacted to new threats. (I don't actually blame CAs for that. I mean, I do, but, ultimately, a wider community should take the responsibility.) Browser vendors could have fixed usability issues (rather than putting the burden of security on the shoulders of end users). And so on... We need our incentives aligned, so that it is in everyone's interest to have better security.