You are on the internet and you are looking to purchase the latest smart phone online. So you start off doing a search in Google. So you get a list of maybe three potential web sites selling the brand you are looking for. So now you have to decide which one to use. You check prices etc? You have an IT security background so you know the checks you have to make before you submit any personnel details. You check that the web site has an organisation and a domain validated SSL certificate, you check the key size, you check it has been signed by a well known Certificate Authority. After you check all of these you become confident everything is as it should be and that your info is secure.
Should you be that confident?
In my opinion the perception that once a website is secured with a valid SSL certificate that customers can safely enter their details is seriously flawed. It is based on a trust model. I trust the external Certificate Authority so I trust any certificate that is issued by it. Does the external Certificate Authority do proper checks to verify that the company in question has deployed their certificates properly? Does the company protect the certificates private keys etc. An Certificate Authority does not perform these checks. The external CA will verify the identity of the company and that they own the domain in question. They will dictate how big the key size is etc. But they do not have any input in to how their certificate is deployed on the company’s servers.
Most online retailers will advertise that their web sites are secure as they use 128 or 256 bit encryption and they might even display a seal from an external certificate Authority confirming that their site is secure. The main issue I have with this is yes you can see that the information between the browser and the company is encrypted, you have no idea what happens after you data enters the company’s network. You do not know where the SSL end point is. The Certificate Authority that provides the secure by SSL seal also does not know what happens your data after it enters the company’s network. The SSL end point could be just inside the DMZ. The data could then be stored as clear text anywhere on the company’s network. Customers might not even know there is an issue until the company gets hacked a few years later.
Also a small online retailer might use a hosting company for its website. The hosting company might organise an SSL certificate on behalf of the company. In this scenario the SSL end point is with the hosting company. The customer has no assurance that this data is securely transmitted to the intended company. Also they have no assurance that the hosting company is not keeping their details.
I think if company's want to provide proper assurance to their customers that the online service that they provide is secure they have to get the whole transaction from where the customer inputs their data to where the information ends up on the company's network validated by a third party. The company could publish this report on the sites.
Conor Roantree CISSP, CISA