The wealth of personal information we share online has grown exponentially since 1994, the inception of the Secure Sockets Layer (SSL) Protocol.
The Internet is awash with passphrases, credit card details, and online banking data. We have SSL certificates to thank for our security and privacy. But you’ve probably heard of recent flaws that have dented your trust in the cryptographic protocol.
Fortunately, SSL is adapting, being upgraded and replaced to give you better peace of mind. Here’s how.
What is SSL Anyway?
Let’s start with exactly what SSL is.
SSL certificates are digital authorization documents that can be obtained by an organization or individual running a site that deals with sensitive information. It ensures that data can be transported securely between web server and browser, that this information hasn’t been intercepted and its sources are genuine.
Look what just showed up… pic.twitter.com/keElUW38Le
— Mark Nottingham (@mnot) September 29, 2015
Check out Amazon, for example. Look at the URL, and instead of a typical HyperText Transfer Protocol (HTTP) address, you should be redirected to a HTTPS one — that additional “S” means it’s a secure link, and you’re safe to pay for items via the site. Hotmail, WordPress, and even Tumblr use SSL certificates.
It’s great for the consumer (who knows their data is being treated responsibly), and for the seller (who not only benefits from buyers’ trust, but also gets ranked higher by Google).
However, nothing’s infallible, and a few SSL flaws exposed within just the last year attest to that. Thankfully, web browsing is becoming more secure again…
You might’v have seen SSL and Transport Layer Security (TLS) used interchangeably, and while the differences are perhaps subtle, they remain noteworthy.
Both use the same system of encrypting data, and conferring with the certificate authority (CA) before making that connection. TLS, though, is SSL’s successor, so it stands to reason TLS would be securer. Indeed, its three incarnations — TLS 1.0, 1.1, and 1.2 — iron out some of the vulnerabilities found in the SSL method.
TLS 1.3 has been around since 2008, but as the flaws in the previous versions were considered so miniscule they wouldn’t affect “real-world” situations, it’s taken until very recently for its mass implementation. In fact, back in 2013, it appeared that even the National Security Agency (NSA) wasn’t targeting domains running TLS protocols because so few actually used it. Now, though, a mandate from the PCI Security Council has forced any site that transmits or processes cardholder information into upgrading.
What’s more, all major browsers — Google Chrome, Microsoft Edge, Safari, Firefox, and Opera — support TLS 1.2 by default, so that level of encryption is assured by both parties. Note, however, that the mandate appears to apply solely for payment details, not login information.
Upgrading certificates is only useful if it’s widely adopted, and that’s not the case. All e-commerce sites need security practices, and the majority really should have SSL or TLS. Many rely on the protection of third-party payment processors, like PayPal (this seems to be a loophole in the PCI Security Council mandate), but if a site accepts private information, it should use a secure layer.
If your connection isn’t private, data including email address and password when logging in can be acquired by hackers. And because most people tend to use the same passwords on multiple sites (despite all the warnings), that could be vital information.
Nonetheless, many sites don’t adopt SSL protocols because it can be costly, and it can be complicated. That’s where Symantec’s Encryption Everywhere program comes in.
The American security firm is offering a freemium service, whereby the certificate is obtained completely free of charge, with upgrades (like malware scans) available at a cost. Partnerships with hosting companies take the complexities out of the hands of site admins, while automated updates streamline the process of addressing any further vulnerabilities.
This is in a bid to get 100% security layer use by 2018, so we expect it to be adopted by the majority of sites very soon.
But wait! Symantec isn’t the only one striving for web-wide SSL/TLS encryption.
Let’s Encrypt seems to be riding the wave of more recent flaws; launched to the public in December 2015, the project already has numerous major international sponsors including Google Chrome, Mozilla, Facebook, Shopify, YunPian, and Akamai. Run by the Internet Security Research Group (ISRG), Let’s Encrypt has, of this month, issued more than 5 million certificates and are projecting 50% HTTPS page loads by the end of this year.
Why’s Let’s Encrypt proving popular? Simply as it’s free and automated, meaning it’s incredibly easy for sites to get certificates and upgrades.
The initiative starts with a new private key pair, and proof of the domain owner to the CA; once this is verified using the Automated Certificate Management Environment (ACME) protocol, the site software can sign certificate management messages with the key in order to renew and revoke certificates, or create new ones for the same domain.
We just issued our 5 millionth certificate!
— Let's Encrypt (@letsencrypt) June 17, 2016
Let’s Encrypt is arguably the best known project to offer free certificates, and between these major programs, it certainly appears to be a trustworthy cause.
You might be disillusioned with SSL certificates, however.
Their reputation has been damaged in recent years: most have at least heard of Heartbleed, a vulnerability in the open-source cryptography library, OpenSSL, which allows hackers to read unencrypted information. Heartbleed affected a lot of services, but that was two years ago and a fix is available. But then last year, there was Superfish, malware that rendered HTTPS moot; this, too, has been patched.
And it’s not confined to your PC either: your smartphone apps are affected by SSL flaws too.
Convergence, then, is a browser add-on that many confuse with a system that replaces SSL certificates; more than anything, though, it’s the next stage for CAs. Essentially, instead of trusting one CA vouching for a site’s authenticity, Convergence turns to notary services to attest to the site’s security.
You visit a HTTPS address. There are three main outcomes: all notaries agree it’s safe, in which case, you use the site; not all concur, but you can go with the majority or reject the site because you don’t trust the notaries that do vouch for it; or in extreme cases, most or all of the notaries agree it’s not to be trusted. That way, there’s no single point of failure.
Think of it this way: it’s a convergence of opinions on whether a user can trust the HTTPS.
How Is the Internet Becoming Securer?
Why do we still refer to them as SSL Certificates? Surely they should be TLS Certificates? #ssl #tls #MostBrowsersDontDoSSLAnymore
— Chris Pont (@chrispont) June 7, 2016
In a nut shell: the SSL certificates that authenticate sites are being upgraded to TLS, most importantly on domains like PayPal that deal with payment information. These are being rolled out en masse, with the aim of 100% HTTPS usage in the next few years. The CAs, too, are being reassessed and the Convergence add-on appears a solid stage in verifying how trustworthy a site is by relying on notaries to agree.
Do these measures give you faith in SSL again? Do you feel safe inputting payment details online? What further security protocols would you like to see widely-implemented?
Image credits: HTTPS (WeTransfer) by Christiaan Colen; and https by Sean MacEntee.