If you want to establish a secure link between a web server and a browser, SSL / TLS is the way to go. It’s been the gold standard in web security technology for decades, and remains the most widely-used security protocol on the web. Don’t let that lure you into a false sense of security - SSL is important, true, but it’s far from bulletproof.
It has weak points. There are chinks in its armor. And if you aren’t taking measures to hammer those out, then you’re putting your organization - and potentially its customers - at risk.
That’s where we come in. Today, we’re going to go over five of the major weaknesses in SSL. More importantly, we’ll talk about what you can do to secure them.
Let’s dive right in:
- The Endpoints: The thing about SSL is that it only secures data while it’s being transferred. It provides nothing in the way of at-rest encryption. This means that, if sensitive data is being transferred between server and client, you cannot simply rely on SSL to protect that data. You need to implement server-side (and possibly client-side, depending on your usage scenario) encryption in order to protect yourself.
- Server Security: As an addendum to the above, how’s the security on your web server? Do you store your passwords in plaintext? Do you run regular malware scans?
- Exploits: As noted by Amazon SDM Vinayak Raghuvamshi, SSL itself also contains a number of security weaknesses that make it vulnerable to attacks such as SSL Stripping. He advises pairing SSL with a Layer 5-based tunnelling solution to mitigate any MITM attacks and targeted exploits.
- Outdated Software: Regardless of which form of SSL you use, you need to do everything in your power to keep it up-to-date. If you willfully use an older version of SSL, you’re potentially exposing yourself to a wide range of dangerous vulnerabilities.
- Bad Certificates: Lastly, you need to exercise caution when choosing a certificate authority - due diligence is the key term here. Unscrupulous CAs may break their own authentication for a premium, allowing MITM attacks on their clients.
So, there you have it - a brief primer on SSL security. Now that you’ve read it, can you honestly say you’re doing everything you can to keep your server safe? If not, seems you’ve got a bit of work to do.