Should SSL be enabled on every website?

Wednesday, October 14, 2009

Christopher Hudel


Why SSL?

Using SSL to secure all websites may seem like an odd choice; most websites contain no "nuggets" worth taking, SSL apparently slows the page load time (especially on over provisioned hosting platforms), and it's not clear if doing so will kibosh any search engine optimizations.  

Back when I worked at the Bank, I tried to advance the idea that every page should be SSL protected but some of these same arguments were thrown back to me – “why does it matter if we don’t encrypt the communications when someone looks for ATM locations?” or “this will totally throw off our gomez rating”.  I swear that Gomez is law-of-unintened-consequences responsible for why the majority of banks proffer the less-secure pratice of placing the unencrypted login page on their main home page — they can do so without compromising the load-time of their website when measuring the speediness of their own website against those of their peers.  It’s nice to see that some companies (thanks, Fidelity!) are coming around and enforcing the use of SSL for their entire website.

Oops – I got distracted.  The reason why I like that this blog uses SSL is simple and at one of my core philosophies — what you do on the internet should be your own business, and web sites should help you maintain this level of confidentiality.  Even if every website used (and protected) their own self-signed certificates, users could still benefit from the knowledge that whatever they were doing on the website was not visible to others.  Of course, everyone would have to click "OK" on the certificate error pages, but that behavior already seems well established.

As much as I am for doing this on my own blog, I also administer content-filtering for a medium-sized financial services company -- protecting every website with SSL would render the bulk of most content filtering applications to simple IP-based rules, or cause management to implement transparent proxy technologies which would result in really important SSL-protected traffic being visible to a handful of employees (for which I would not subject myself or my staff to that liability).  Additionally, content-filtering systems would likely fail to address large hosted environments with shared IP addresses.

So - toolsets would have to evolve to address a new "always confidential" internet.  This includes Google AdWords, which has yet to support SSL websites.  Google Analytics still works - but that's a privacy issue, and not a confidentiality one. :)

Cloud Security General Webappsec->General
Post Rating I Like this!
Mourad Ben Lakhoua Thanks for the post really interesting add ,we use SSL for Email ,Blogging , Social Networking website and other sensitive Information.but I wanted here to ask if SSL is enough to secure our Information resources?
don't you think that it's time to implement more security features?
Brad Tumy When you condition people to click through the certificate errors then how to you then teach them to identify a real security breach that is affecting something more important like their online banking transaction?

My concern with the "Of course, everyone would have to click "OK" on the certificate error pages, but that behavior already seems well established." argument is that you would be perpetuating the behavior that we should not encourage. I think the model going forward is that consumers need to understand what they are clicking and if they choose to ignore it is because they have identified the risks and are ok with them as opposed to clicking because it is an annoying pop-up and I click ok on every other annoying pop-up. We should be implementing systems that foster the behavior of recognizing anomalies and reacting to them and not ignoring them.

Do we really need an "always-on" security mechanisms for every web site? I don't think we do I think the costs and the repercussions of encouraging people to click through the certificate error pages far out weigh the benefit.
Christopher Hudel My point is that you cannot rely on teaching consumers to "do the right thing". Already we have the case where malware is injecting HTML code right into already-secured sessions to extract sensitive PII data from unsuspecting consumers.

Heck - even suspecting consumers can have a challenge figuring out if the requested information is being asked from a trusted source; the lock-icon is not the panacea it was originally made out to be.

We've got to do better and come up with more salient ways in which systems and technology can make the right security decisions without having to rely on consumer judgement.
Steven Stern SSL security is necessary for secure login and secure transmission of confidential data. The problem with SSL is its cost. I'd love to add SSL certificates to any number of sites I run to authenticate that they are the site the claim to be, but at about $500 per certificate, it gets expensive, fast.

If there were a change in the certificate ecosystem, I think it would be a lot easier to push for SSL from the grass roots.
Jim Anderson Liked the post. Yes encryption is getting cheaper but it is still not zero. I wan unaware until I read your post that AdWords is not SSL protected. Fascinating. I would hope that along with the agenda of making SSL broadly available by default we also make the technical understanding how SSL is properly used on a website also a requirement. We see poorly implemented technical security more and more these days. The only thing worse than no security is the illusion of security.
Fred Williams Good post! I have read that the IETF is trying to promote the TLS protocol as a replacement over SSL for HTTP traffic. Reading up a bit on TLS vs SSL, it seems that you can't go wrong with either but TLS has benefits of being an open standard and being backwards compatible to allow you to drop back down to SSL. What are your thoughts on choosing TLS over SSL?
Tim Covel The only problem I can see with increasing the use of SSL (which i am all for), is the sense of false security. As you said, the behavior of just ignoring certificate warnings is already prevalent, which makes hijacking "secure" connections trivial in local networks. Also keep in mind the current SSL renegotiation vuln which has been demonstrated to be effective . Great post, and I'm always in favor of more encryption, but we have to be careful that an "always confidential" Internet would only really be "mostly confidential".
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.