Defeating SSL, part deux

A commenter on my post re: public key crypto made the accurate observation that given a properly implemented PKI with out-of-band key exchange, SSL *is* secure.  I can’t argue with that.  My point, which I don’t think I made well, is that there are so many possible points where the implementation can go wrong, the chance of being vulnerable to at least one is unacceptably high today.  I’ve outlined some threat models here.

First, a refresher on how SSL works and the existing PKI system for it.  When your browser connects to an SSL-enabled web site, the site tells the browser which Certificate Authority signed their public key pair.  Your browser verifies this with the CA’s public key, which was (normally) installed in the browser when you installed it.  If you can decrypt with the public key, you know the site’s SSL cert was signed by the CA’s private key.  Thus, you can trust that the public key the web site is providing you is correct.

Fail mode one:  For this to work, you have to trust the browser and the device (PC, tablet, phone) you’re working on.  Are you really that sure that every device you run SSL from has not been compromised?  There are exploits – many of them remote – for every OS, every phone, most other common devices.

Second: Do you trust the browser?  When we say that there’s an out-of-band key exchange, what we really mean is that the public key of the CA was preinstalled in your browser.  Thus, you have to be absolutely sure your browser was not tampered with.  When was the last time you double checked that your Firefox update was downloading from a properly certified SSL site?  Did you check an MD5 hash or PGP signature?  How about your plugins?  And wait: how about all those desktop or iPhone apps that use https to communicate?  Do you trust them as much as you trust IE or Firefox?

Third: Do you trust *every* CA in the list?  There’s a lot these days!  Should you trust them just because the makers of IE or Firefox or Opera trust them?  How rigorously do the CAs themselves check the certs they issue?

Fourth: Is every user going to pay attention to warnings about SSL.  OK, it’s hard to miss the ones in Firefox these days, but what about all those other apps?

Finally, will anyone even notice if they are not using SSL?  Because if they don’t there’s a very good chance SSLstrip can inject you.

So to me, it looks like the risk of any one error is fairly small.  But the risk that some error occurred is much, much higher.  Combine this with the increased ease of doing MitM attacks with wireless and SSL doesn’t seem like such a strong protection to bet your bank account on.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: