SSL is terrible, pt. 495.

/SSL is terrible, pt. 495.

Tl;dr, like everything else with SSL, EV is fucking broken.

Because I will forever be, at heart, a huge brat, one of my favorite questions to ask people who pretend to know about INFOSEC is, “So what, exactly, is the point of SSL?” (Or TLS, or HTTPS, or however you want to word it.)1

Pretty much no one, in the field or out of it, gets the answer to this question correct. I’ve written about it before2 but, tl;dr version, the original intent of SSL was to link an online presence with a real-world entity. The problem is that the validation requirements were, well. Expensive. Like, thousands of dollars worth of expensive, which is how much a “real” SSL certificate is supposed to cost. Because the CA that issues it is “supposed” to investigate you—to actually meet you, face-to-face, in fact—and make sure you’re really who you say you are, before issuing the cert in the first place.

“But Alis!” you say. “I can get an SSL cert free from, like, Let’s Encrypt! Hell, you get free certs from Let’s Encrypt!”

Yeah, I do. And the thing about Let’s Encrypt? It’s a perversion of the entire point of the system. And it provides exactly squat in the way of security, because in a world where anyone can get a cert issued to basically anything, for any purpose, under any name, how do you know that the entity you’re communicating with is, in fact, the entity you want to be communicating with?

Spoiler alert: you can’t, see original linked article.

“Wait,” you say, confused. “If SSL is so broken, why do tech companies like, say, Google push it so hard?”

Well, Dorothy, because, firstly, the one thing SSL does do is give carriers a level of plausible deniability when it comes to government requests to wiretap internet traffic. “Well. Here are the traffic logs from the server! Oh, well. No, you can’t read them because it’s all HTTPS. Sorry, not our fault! We did what you wanted!”3

But, mostly? Google in particular pushes SSL so damn hard because one of the thing SSL does in change the way HTTP referrers are sent. Why does Google care about this? Well, because it means webmasters suddenly don’t or can’t know where some or most of their website traffic is coming from, including search requests. So isn’t it great that Google can sell them this information as part of its ad platform! Phew, thanks Google! What a win for “privacy”!

… yeah.

Tl;dr, SSL is still terrible. And the “good” news? There’s still really no better option.

  1. The difference? Very briefly, SSL and TLS are two implementations of a secure communications protocol, with SSL being the older-and-now-deprecated version. HTTPS is basically “the web but with SSL/TLS.” In most cases the three terms are used as synecdoches, though HTTP isn’t the only thing that can be used with SSL/TLS. ^
  2. At length. It’s a bugbear, what can I say? ^
  3. It’s worth noting that this is mostly security theater; nation-state level actors, specifically intel organisations, can and do actively tap backbone networks. The thing they mostly don’t do is share the information gathered from these sources with law enforcement agencies, who desperately want it. In other words, yes. Most Current Issues In Government Surveillance are a dick measuring contest between spys and the cops. ^
2018-05-22T09:01:53+00:008th June, 2018|Tags: infosec, privacy, ssl, xp|1 Comment
1 ♥  gileonnen

Comments are closed.