Nowadays, most people are aware of the importance of SSL/TLS certificates for protecting ecommerce sites. Most website administrators also have at least a basic understanding of the different types of SSL certificates that are available, and the different levels of protection they offer.
Fewer people, however, have a good understanding of the encryption behind SSL, and specifically of the fact that these encryption protocols are being continuously updated. Sometimes, this is to allow the SSL system to meet new challenges and gain enhanced functionality, as with the current research into protecting IoT devices from emerging threats using SSL. Sometimes, however, encryption protocols have to be updated because they are found to be insecure.
This is often overlooked by website administrators and cybersecurity professionals alike, who tend to take the security of SSL for granted. In this article, we’ll take a more skeptical view – we’ll look at recent successful cyber attacks against the SSL protocol, and see what they can teach us about keeping sites secure.
The first attack type that we’ll be covering isn’t all that recent, but it’s worth looking at because of its similarities to later SSL attacks. POODLE was one of the first attacks that were proven to be successful against SSL-secured sites. “POODLE” stands for “Padding Oracle on Downgraded Legacy Encryption” and exploited a flaw in the manner that SSL 3.0 handled block cipher mode padding.
Even though TLS has mostly replaced SSL 3.0 since the latter is an older encryption standard, the POODLE attack takes advantage of the fact that when a secure connection attempt with TLS fails, most servers will fall back to SSL 3.0. If the hacker is able to create a connection failure, they can then force the use of SSL 3.0 to begin a new attack.
Though this attack was easily defeated by the simple expedient of website administrators updating their SSL protocols, it remained (and perhaps remains) a dangerous vulnerability. This is because plenty of website administrators don’t know which version of the SSL protocol they are using.
This is not entirely their fault, of course. The knowledge that SSL helps rank your site higher on Google has encouraged many companies to simply “buy a certificate” without looking at how secure the service they are being offered is. This has led to outdated SSL encryption becoming one of the most common WordPress security issues.
DROWN and HEARTBLEED
If you need proof of this, it’s easily seen in a number of other recent attacks on SSL encryption protocols, both of which exploited vulnerabilities in already-deprecated protocols.
Take, as a first example, DROWN. This attack affected a large number of HTTPS websites and stands for “Decrypting RSA with Obsolete and Weakened Encryption.” The attack vector here was via SSLv2, which even at the time that the attack emerged was a completely obsolete protocol. However, many servers still support and utilize SSLv2. If your own HTTPS server supports both TLS and SSLv2, it can decrypt intercepted connections from clients.
A second example is HEARTBLEED. This vulnerability came to light back in 2014, and exploited a flaw in OpenSSL implementation, rather than the standards themselves. However, OpenSSL is so widely used that it created something of a crisis when the bug was discovered. Some estimates put the number of affected systems at 17% of all SSL servers, and the vulnerability persisted for years due to patches and updates only being rolled out slowly.
During that period, HEARTBLEED was genuinely dangerous and caused severe damage. An attack on patient data at Community Health Systems was blamed on this bug, as was the hack on the Canadian Revenue Agency that resulted in the stealing of thousands of social ID numbers of Canadian citizens.
So is there a lesson to be drawn from all these stories? Well, yes. Put simply, you should download all the security patches that are made available for SSL/TLS, and ensure that you are using the most recent version of the SSL encryption protocol. If you use OpenSSL, for instance, you can find the latest codes on the OpenSSL website.
For many site owners, that will be more difficult than it sounds, because they will not be directly responsible for the SSL/TLS security they have in place. Many sites now make use of the free SSL certificates that are available from web hosting providers, for instance, and have therefore sub-contracted their security to their web host.
In this circumstance, it’s vitally important that site owners contact their web host to seek assurance on two issues. They should ask which SSL/TLS protocol is in place on their site, and verify that it is not an obsolete system.
According to web developer Nathaniel Finch of Best Web Hosting Australia, the three most common types of SSL certificates that many web hosts offer as part of their plans are:
- DV (Domain Validation) SSL certificates
- OV (Organization Validation) SSL certificates
- EV (Extended Validation) SSL certificates
Out of these, EV SSL certificates are the most advanced and secure. But just as importantly as choosing hosting providers that come with EV SSL, site owners should also verify that there is a rigorous system in place for obtaining and implementing patches and updates to SSL protocols – either on their web hosts’ servers if that is where SSL certificates are stored, or on on-prem servers if this is necessary.
Of course, keeping your SSL certificates up to date is not going to protect you against every single attack. More recently, we’ve seen worrying signs that encrypted malware can evade SSL detection, for instance, and we will need new tools to fight these emerging threats.
Making sure that your SSL/TLS system is current, though, is one of those basic tasks on which great security is built. Since cybersecurity is an ongoing process and not an event, and since we’re all beginning to realize the importance of cyber resilience, these basics need to be in place before you explore more exotic options.
The next time an SSL attack emerges, make sure that you don’t become a statistic: keep your SSL protocols up to date.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.