BlogReliability of SSL

Many enthusiasts and experts tried and still trying to break SSL.
Some of them succeeded. So is that a reason to panic? Not realy!SSl Certificates can still provide a very high security if you keep
serval things in mind.First of:
Do not trust broken SSL Certificate Authorities.
SSL Certificate Authority issues SSL certificate, that your
Web browser, host OS or some application trusts.Examples of weak SSL CAs you should never trust are for example Comodo and StartSSL. Either the internal control mechanics of the SSL CA simply failed or
they got cracked badly... or both.Of course we put ourself into the spotlight now as a partner of
GlobalSign which sells SSL certificates as well. But it is not
a marketing campaign which drives us into writing this article.Cracked Certificate Authorities could start to issue "false"
certificates, that are risk to anybody.Commodo issued wrong certificates. StartSSl was totaly hacked by
crackers because they did not invest into sane penetration testing
at all.We could now raise the "told you so"-flag to a hill close to us, but
this wont prevent any risk to you, or ?None of those SSL CAs got audited by any trustfull company we are aware of. And as CEO I claim to know them in europe, even if they are
competing to my own company. I have in mind companies like "Recurity
Labs", "Code Blue" and others which got skilled and other good employes.And yes we charge more. We perform serious penetration tests and we
gurantee quality of service to our employes and their personal.But only trust in our knowledge won't secure you.So people should get more aware of SSL CAs and their responsibility.Companies like Comodo and StartSSL are just two to name who falled
because of weak security, which can not realy get considered
trustworthly anymore. GlobalSign, which we are partner of, suffered an attack as well but
they paid security people who might told them about that, so just the
webserver was compromised. Except of Comodo and StartSSL a full forensic investigation
was started, the business was shut down 2 weeks to ensure no further
security breach happened or that the attacker could have compromised
the root-certificate (this is the "game over" scenario).So please, be careful. Do not simly belive a browser icon! But
keep yourself informed. Read about the SSL CAs your browser trust.
Disable SSL v2 and SSL v3 and enable, if possible, TSL v1.1 and/or
TSL 1.2 in your browser.I know this sounds pretty technical but please do so. Also you can ask
companies like Mozilla or Microsoft when they plan to support
strong security at their browsers.We selected GlobalSign for a reason. I think the more you
investigate the more you will agree that this SSL CA is trustworthly
as a 3rd part company can be (which was audited).Personaly, I spent months to investigate and analyse individual SSL CAs.
And I would thank anybody who not just acquire SSL Certificate, but who
gets interested into oneself security and do not trust anything his
browser was shipped with.Who trusts TurkTelecom or China for their SSL business ? Why you
should ? Why they are not trusted by Mozilla and others ? Please
perform your own little investigation if you interested. This topic is very
complicated and have no "right" or "wrong" answers.
It is about you, your trust and your beliefs.You're your own last line of defence, as user.
Though, keep the following in mind and use the "advanced information" button !1. Check SSl Certificate Authority, who issued the certificate
   Do you trust them? Are there any issues known from the past ?
2. Is the SSl Certificate valid ?
   Check dates, URL (aka domain name), issuer
3. Check CRL and other methods
   Ensure your browser automaticaly checks if a SSl Certificate was revoked.
   Enable OCSU support or force your browser to always check OCSP.
   Browsers like Mozialla do not have sane security defaults.
   Could be because they were sponsored by other companies.
   To enable that feature, set the following option in Firefox:
   "Invalidate a certificate if a connection to OSCP Server fails"
4. Investigate SSL CA which issues the certificate!
   Was there anything known ? Was it audited after a security breach ?
   How bad was secuity breach ? Was the ROOT-SSL CA compromised or the "HSM"?I know those 4 easy steps wont prevent anything but if you might combine knowledge, obtained in this article, you can enhance your personal security.Kind regards,
Sebastian Rother

9 July, 2012