Over the last decade, there’s been an ever growing emphasis on security. SSL is taking a seat “Front-Row center” on this period of enlightenment. Interestingly enough, it’s not just about encrypting your traffic on the web. The purpose of this is far deeper. This article will delve into the “why” SSL’s importance has grown and continues to grow day over day.
Secure Sockets Layer or SSL as it’s better known has become a subject of discussion and **frustration** for many of the Internet site. Google is flagging search results that don’t have a Valid SSL certificate and it’s not about sending traffic over an encrypted link. It’s about the other part of security; Authentication. Most people talk about security as being “encrypted”, but we should place less importance on how scrambled and unreadable the payload is and more about where the traffic came from. That was the real reason behind the implementation of HTTPS enabled sites in the World Wide Web indices.
Case in Point: Who cares if the recipe for double chocolate chip cookies is sent to you encrypted or not? The reality is; unless you’re a major food brand, it’s just not that important. What is important is the information you’re getting is coming from the trusted and reliable source you requested it from. SSL does that incredibly well, because basic PKI infrastructure (of which SSL utilizes and leverages) performs strong authentication first to negotiate the encrypted medium in which information is interchanged.
Encryption is Worthless
That’s right. I just stated that Encryption is worthless. Queue pitchforks. Before you send me hate mail and other non-niceties, hear me out. An encrypted interchange of information with a non-authenticated sender is dangerous. Perfect example: Did you ever get a call from someone trying to scam you out of money under the guise of the IRS, Bank, Credit Card Company, etc? That’s the point. Caller-ID can be forged and so can Internet traffic. This is the purpose of Authentication. It’s a series of secure key exchanges that help to negotiate a secure medium that isn’t being “listened in” on or compromised. So why is it important to use a digital certificate you need to pay for? The verifiable chain of trust. It’s about a trusted certification authority that can and will vouch for the identity of the sender negotiating the certificate. This is important, because it allows the requestor (you or your customers) to rest-assured they’re not sending the personal or financial information to a hacker who will use this information for nefarious purposes.
Authentication or Identity Validation is the single most important thing about security. If you start a flawed communication chain, you end up with a flawed communication. One of the most interesting things about exploits in general actually all have to do with the authentication process. The diehard security people understand that the critical vector of vulnerability in any model is through the authentication chain. The blackhat foreign actors know this as well.
If one takes a look at most security vulnerabilities today, the majority of them demonstrate a circumvention of the authentication workflow.
I have SSL! I’m not secure!?!!
Implementing SSL is a good start, but just because you bought a digital certificate and paid for the $10,000,000.00 protection doesn’t mean you have an insurance policy worth $10 Million. It means the master certificate keys for the certificate you purchased are secured properly and the issuer guarantees this with a 10 Million dollar policy. The responsibility for properly implementing the certificate authentication and encryption process is still your responsibility. Configuration of Authentication mechanisms and ciphers are a part of proper security protocol. Just popping the certificate into the server configuration is NOT good security practice. There are many reasons for this, but the single cardinal rule should simply be trust nobody with your security other than yourself.
Security itself is not the implementation of any one mechanism, but an ever evolving process of constantly monitoring and adjusting your infrastructure to counteract potential attack vectors. This is an active role and your organization should be prepared to engage in this through proactivity.
Am I Secure?
This is the question we all ask. The answer is not “Are you secure?”, but “Have you done everything you can to ensure overall system and infrastructure security?” It all starts with an audit. It can’t be performed by your internal staff. It needs to be performed by an independent third party. Objectivity only comes from an independent third party when it comes to security. There are many companies that perform these security audits, but they can be costly. Those same audits can be performed by a competent consultant with extensive experience in security and penetration testing.
If you’re interested in discussing your infrastructure, application, or overall system security, consider hiring me.
Other security firms will perform topical external testing, I will also review your security / infrastructure configurations and provide feedback on remediation and risk via a comprehensive scorecard and level of effort.