Thursday, 1 September 2011

Breaches Raise Questions about SSL Security

The recent breach at Dutch digital certificate authority DigiNotar is just the latest in series of troubling SSL hacks. Earlier this year, Comodo alerted its customers to a serious SSL breach that impacted nine Web domains, including Google and Yahoo. Now with details emerging about the attack on DigiNotar’s SSL and EV-SSL CA system, we think it’s time to take a closer look at SSL security.

In fact, in July NCP engineering* released a whitepaper “Debunking the Myths of SSL VPN Security,” taking on this very topic. So using this whitepaper as a guide, VPN Haus is launching a multi-part series that the asks questions: why do so many high profile breaches occur using SSL VPN? Do users simply not implement the technology correctly? Or does SSL fall short of the marketing hype? We’ll dig for these answers by exploring the following SSL VPN myths:

Myth 1: Using trusted certificates from a certificate authority (CA) is airtight.
Myth 2:  SSL VPN is clientless.
Myth 3: Online banking via SSL session is secure.
Myth 4: HTTPS is a secure pipe.
Myth 5: One-way certificate authentication of a SOA web service is secure because it uses HTTPS.
Myth 6: Two-way certificate exchange between a SOA web service and a client can always be trusted.
Myth 7: Java Authentication and Authorization Services (JAAS) framework handles all protocols and mechanisms in a secure manner.
Myth 8: RSA SecurID provides a secure connection.
Myth 9: Thick-client SSL VPNs are more secure than thin-client SSL VPNs.
Myth 10: Security is the responsibility of a specialist department.

Moreover, Myth 1 deals head-on with issue Comodo, and now DigiNortar, faced with its fraudulent certificates. We’ll go more into that next week. But for now, we invite you to weigh in with your thoughts as we take a deep dive into the murky waters of SSL, in hopes of eliminating confusion, providing greater clarity, and ultimately, peace-of-mind on SSL and security.

No comments:

Post a Comment