You are on the internet and you are looking to purchase the latest smart phone online. So you start off doing a search in Google. So you get a list of maybe three potential web sites selling the brand you are looking for. So now you have to decide which one to use. You check prices etc? You have an IT security background so you know the checks you have to make before you submit any personnel details. You check that the web site has an organisation and a domain validated SSL certificate, you check the key size, you check it has been signed by a well known Certificate Authority. After you check all of these you become confident everything is as it should be and that your info is secure.
Should you be that confident?
In my opinion the perception that once a website is secured with a valid SSL certificate that customers can safely enter their details is seriously flawed. It is based on a trust model. I trust the external Certificate Authority so I trust any certificate that is issued by it. Does the external Certificate Authority do proper checks to verify that the company in question has deployed their certificates properly? Does the company protect the certificates private keys etc. An Certificate Authority does not perform these checks. The external CA will verify the identity of the company and that they own the domain in question. They will dictate how big the key size is etc. But they do not have any input in to how their certificate is deployed on the company’s servers.
Most online retailers will advertise that their web sites are secure as they use 128 or 256 bit encryption and they might even display a seal from an external certificate Authority confirming that their site is secure. The main issue I have with this is yes you can see that the information between the browser and the company is encrypted, you have no idea what happens after you data enters the company’s network. You do not know where the SSL end point is. The Certificate Authority that provides the secure by SSL seal also does not know what happens your data after it enters the company’s network. The SSL end point could be just inside the DMZ. The data could then be stored as clear text anywhere on the company’s network. Customers might not even know there is an issue until the company gets hacked a few years later.
Also a small online retailer might use a hosting company for its website. The hosting company might organise an SSL certificate on behalf of the company. In this scenario the SSL end point is with the hosting company. The customer has no assurance that this data is securely transmitted to the intended company. Also they have no assurance that the hosting company is not keeping their details.
I think if company's want to provide proper assurance to their customers that the online service that they provide is secure they have to get the whole transaction from where the customer inputs their data to where the information ends up on the company's network validated by a third party. The company could publish this report on the sites.
Conor Roantree CISSP, CISA
Fully agree. SSL is designed to protect the transmission of information, not the storage. And realistically, when giving out PII and financial data like credit card numbers, transmission is the smaller part of the risk.
Posted by: Hubert Kay | 28 February 2012 at 09:04 AM
Good point and I concur. Companies should provide more information regarding what happens to customer information when its inside their infrastructure.
Posted by: Mazin Finjan | 28 February 2012 at 02:48 PM
I still occasionally run into website owners that have SSL enabled checkout systems, and then receive the entire payment and transaction information via email...
I agree that one of SSL's biggest problems is it can be a facade. But I don't think it's realistic to expect a business to get a 3rd party audit to confirm the information is being treated securely. The costs of such would be prohibitive for most small and medium size businesses. Trust seals offer hardly any benefit to an ecommerce site's bottom line, and there would be an even more inconsequential number of customers that would actually look for a full audit report.
Unless there was some mandate to audit all payment processing applications, there's just no way that consumer interest is high enough to suggest this would be realistic. Consumers don't really understand SSL and they sure as heck wouldn't understand an audit. Unless consumers get smart about security, there isn't much that can be done IMO.
Posted by: Jestep | 28 February 2012 at 06:01 PM
Some very good points made here.
I think you are right that most customers do not understand SSL. But they have been sold the idea of a site being secure once they see the lock icon. Also Certificate Authority's are using every PR tactic they can think of to say sites that are secured with their certificates are secure, from using Extended Validation SSL certificates (which make the address bar go green) to security seals.
You may be right about a complete audit not being practical. How company's address this issue should be open for debate.
Posted by: Conor Roantree | 29 February 2012 at 07:05 AM