Secured Socket Layer (SSL) and related Vulnerabilities

ssl_certificate_003_400_x_400

Secured Socket Layer, more commonly called as SSL, is a protocol in which data is transferred in an encrypted format to ensure security. This data transfer between client and the server is established with the help of certificates. SSL certificate is an absolute necessity for e-commerce sites as end users need to submit critical information like credit card details and personal information. Once installed, then the sites are accessed using the IP address header https:// rather than http://. Even though SSL ensures security they have some inherent vulnerability. This article mentions about SSL principles and its vulnerability.

It is imperative that the server must have an SSL certificate and the private key associated with that certificate. The SSL certificate contains the public key for the RSA encryption algorithm. When connected, this public key is send to the client who will use it to encrypt a value and send it to the server. The server has the corresponding RSA private key so that it can decode the client’s message. Also don’t forget the fact that SSL certificates are always subjected to expiry.

Types

Generally there are three different types of Secured Socket Layer (SSL).

Dedicated SSL – Dedicated SSL needs a dedicated IP available for the domain.

Shared SSL – Shared hosting has multiple domains pointing to the same IP address. In this case, the host has one single SSL to manage all the sites.

Wildcard SSL – Wildcard SSL is targeted for different sub domains of a website.

So far, we have discussed about the basic functions and major types of SSL. Below given is some vulnerability associated with SSL security.

Heartbleed Bug

Heartbleed bug is a major vulnerability in the OpenSSL cryptography. It puts in danger the encrypted information which is used to secure the internet. Neel Mehta of Google Security first reported this bug to the OpenSSL team. It comprised of all the secret keys, which were used to identify the hosting / service providers. The names and passwords of users were easily made available to those online. This bug did not affect versions of OpenSSL prior to 1.0.1. The versions which got affected were 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1.

This bug can be fixed immediately in OpenSSL 1.0.1g. Affected users should better upgrade to 1.0.1g to rectify the issue. Those who could not upgrade immediately should perform a recompilation of OpenSSL with DOPENSSL_NO_HEARTBEATS.

POODLE – An SSL 3.0 Vulnerability

Poodle (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability is the most recent vulnerability issue identified with SSL. Here the issue is with the 18-year old SSL 3.0, which is considered almost secure until now. This issue can be fixed by upgrading to the newer versions, maximum up to even TLS 1.2, if possible. Many websites are now available to check if the domain is poodle vulnerable.

Conclusion

Although SSL has some inherent vulnerability, it is highly recommended to install the same on the sites for secure transaction of critical information. Ultimately you need to build trust in the minds of end customers. Remember, only happy and repeat customers contribute to the success of your business.

Written by admin

6 Comments

gravatar
AlyseCSheild

I was excited to uncover this site. I wanted to thank you for ones time for this particularly wonderful
read!! I definitely liked every bit of it and I have you bookmarked to look at
new stuff on your web site.

Reply
gravatar
PearleneWScanneu

That is a very good tip especially to those fresh to the blogosphere.
Brief but very precise info… Thanks for sharing this one.
A must read article!

Reply

Leave a Reply to sam Cancel reply

Your email address will not be published. Required fields are marked *