Monday, 17 March 2003

Bruce Schneier's latest Crypto-Gram dropped through my virtual mailbox over the weekend. Firstly, he has a new book out, Practical Cryptography (obviously, anybody stuck for a birthday present for me could do worse than the hardcover edition).

In it, he discusses his views on how the SSL flaws aren't really such a big deal as SSL is kinda fixing a non-problem to begin with...

Even if SSL were irrevocably broken, it wouldn't affect Internet security very much. There are two reasons. One, SSL is almost never used in a secure manner. And two, SSL doesn't solve an important security problem
he goes on to talk about use of SSL to protect personal transactions with websites (credit card purchases etc.)

SSL establishes a secure channel between a client and a server. In order for you, the SSL client, to ensure that the channel is secure, you need to authenticate the server. You can do this by looking at the SSL certificate (your browser allows you to do this) and making sure that the server you have established a secure channel with is the one you want to talk to. My guess is that approximately no one ever does this. I certainly never do it. This means that you are using SSL to establish a secure channel with a random person. Imagine you are sitting in a lightless room with a stranger. You know that your conversation cannot be eavesdropped on. What secrets are you going to tell the stranger? Nothing, because you have no idea who he is. SSL is kind of like that.
Which, of course, is all very true for browser to web conversations. To my mind though, the big win of technologies like SSL is in server to server communications. We have an AA application here were I work (I support it in fact) that has a number of components spread across multiple servers (web servers, and back end application specific servers). Now, we don't know for sure where the web servers are deployed, or indeed who can snoop the traffic between them and our servers, so luckily, the web server compenents speak to the back end servers over SSL links. This use seems much more akin to sitting in a lit room with a trusted friend...

No comments: