In the wake of the increase in a number of cyber-attacks, ensuring online security has become absolutely essential. A necessity for every web page that holds sensitive user data and utilized by millions of online businesses, SSL is used to secure connection from a web server to a browser. SSL, standing for Secure Sockets Layer Usually used to secure credit card transactions, one of the most pertinent social security tip is to only enter one’s credit card and personal details that are SSL certified.
What are SSL certified websites?
Use interface redressing and other malware, make carrying secure online transactions tedious. Cyber security experts swear by using SSL certified websites as the most important internet security tip for online buyers and sellers. A globally used technology, SSL certificates ensure an encrypted flow of date between the web server and the web browser; therefore, decreasing the risk of sensitive information such as (e.g. passwords, credit card number etc.) from getting into the wrong hands. In order to enable such security and discretion, SSL certificates are installed on the web server.
Impact of SSL
One of the most vital cyber security tips is to check for a padlock site beside the website name in the browser. The padlock sign means the connection is secure, in other words, the conversation and flow of data between the web server and browser are private; not privy to outsiders. SSL certificates impact the level of trust a web user has on the website, it not only validates the identity of the websites, therefore, ensuring that it is not a bogus site; but also encrypts such sensitive data.
Examples
How SSL works is very simple, it simply uses a string of random numbers as the key. For example, if a message is sent to me via a user, this message will only be decrypted using the string of numbers that classify as my private key. If a hacker or external software tries to intercept, all they will get is a code cannot be deciphered even by the power of a computer.
Web sites such that require the input of and the collection of sensitive information such as medical records, credit card information, personal information etc. Examples being Amazon, Ebay, Lloyds bank, Citibank etc.
SSL Security Concerns
Different websites, depending on the sensitivity of the information they require, store and collect, different levels of encryption are required. Separated by the number of domain names and the level of validation, there are different SSL certifications.
One of the biggest problem and a major security concern is the void of information due to a number of certificate issuing authorities. You might get you certificate from an authorized issuing authority, but attackers might trick another authority into issuing another certificate for your domain.
Secondly, another security concern stems from the lack of diligence of certificate issuing authorities. In the past, they have issued certificates to dodge websites that don’t require certificates in the first place.
An issue with the SSL implementation lies in the fact that most websites don’t use ‘perfect forward secrecy’. Perfect forward secrecy helps protect user data by generating a unique key for each session, so all data can’t be locked with a single key. Lack of use of PFS means that the hacker could unlock and retrieve all data with a single key.
External sources of threat such public Wi-Fi hot spots may also cause a leak in otherwise sensitive data. This mostly happens when a user is roaming via cell phone. It is therefore regarded as the most important mobile phone security tip to use your own 3g connection provided by your connection carrier.
Recent Attacks
Out of all the cyber-attacks according to conducted by McAfee Labs Threat Report 2016, 11% of all cyber-attacks are SSL related. Some of the most recent and most notorious SSL attacks were exploitations of SSL vulnerabilities, some of them being:
POODLE (Padding Oracle On Downgraded Legacy Encryption)
Heart bleed
Shellshock
Lucky13
RC4 Cipher
FREAK work
Exploiting these SSL vulnerabilities, in 2016, a Brazilian Bank known as Banrisuls website was taken over for an entire afternoon. A major bank in south brazil, Banrisul has over $25 million worth of assets and 500 branches spread across brazil. Due to security reasons, the details and the attack haven’t been fully disclosed, SSL loopholes gave way for attackers to achieve 2 certificated that led to the attack.
Conclusion
For the layman, SSL certification is enough for a website to be considered safe, but over time, with vulnerabilities like POODLE mentioned above, it is clear that the SSL system is archaic if anything. Even though newer updates seek to fix these loopholes, it is clap parent that lack of control over issuing authorities and actual implementation of the so-called encrypted for of information is far from being achieved in reality. It is true that while SSL theoretically seeks to encrypt data from end to end basis, in reality, it is only able to encrypt it point to point, therefore, making it privy to attacks and exploitation of loopholes.