Secured Socket Layer, more commonly called as SSL, is a protocol in which data is transferred in an encrypted format to ensure security. This data transfer between client and the server is established with the help of certificates. SSL certificate is an absolute necessity for e-commerce sites as end users need to submit critical information like credit card details and personal information. Once installed, then the sites are accessed using the IP address header https:// rather than http://. Even though SSL ensures security they have some inherent vulnerability. This article mentions about SSL principles and its vulnerability.
It is imperative that the server must have an SSL certificate and the private key associated with that certificate. The SSL certificate contains the public key for the RSA encryption algorithm. When connected, this public key is send to the client who will use it to encrypt a value and send it to the server. The server has the corresponding RSA private key so that it can decode the client’s message. Also don’t forget the fact that SSL certificates are always subjected to expiry.
Generally there are three different types of Secured Socket Layer (SSL).
Dedicated SSL – Dedicated SSL needs a dedicated IP available for the domain.
Shared SSL – Shared hosting has multiple domains pointing to the same IP address. In this case, the host has one single SSL to manage all the sites.
Wildcard SSL – Wildcard SSL is targeted for different sub domains of a website.
So far, we have discussed about the basic functions and major types of SSL. Below given is some vulnerability associated with SSL security.
Heartbleed bug is a major vulnerability in the OpenSSL cryptography. It puts in danger the encrypted information which is used to secure the internet. Neel Mehta of Google Security first reported this bug to the OpenSSL team. It comprised of all the secret keys, which were used to identify the hosting / service providers. The names and passwords of users were easily made available to those online. This bug did not affect versions of OpenSSL prior to 1.0.1. The versions which got affected were 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1.
This bug can be fixed immediately in OpenSSL 1.0.1g. Affected users should better upgrade to 1.0.1g to rectify the issue. Those who could not upgrade immediately should perform a recompilation of OpenSSL with DOPENSSL_NO_HEARTBEATS.
POODLE – An SSL 3.0 Vulnerability
Poodle (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability is the most recent vulnerability issue identified with SSL. Here the issue is with the 18-year old SSL 3.0, which is considered almost secure until now. This issue can be fixed by upgrading to the newer versions, maximum up to even TLS 1.2, if possible. Many websites are now available to check if the domain is poodle vulnerable.
Although SSL has some inherent vulnerability, it is highly recommended to install the same on the sites for secure transaction of critical information. Ultimately you need to build trust in the minds of end customers. Remember, only happy and repeat customers contribute to the success of your business.