Why SSL isn’t fooolproof security

Over at Rabbit-Hole, a commenter posted that my low-tier VPN is unnecessary if you’re using SSL. He’s wrong.

Perhaps I should have titled this “When SSL isn’t foolproof security,” but it’s too late now. Oh well.

When you’re sitting on a strange network (not your home or work network), SSL is vulnerable to a classic man-in-the-middle attack. If you’re paying attention, you should know if your session is being hijacked. But who’s paying attention?

Here is an example of an SSL MITM proxy that you can download and play with. The way it works is that a server can grab your SSL request, re-sign it with another certificate, then send it to its destination and relay the request back to your computer. It comes back to you encrypted, but since both your computer and the proxy in the middle have the keys, the other computer can unlock it and read the traffic.

And yes, while you usually have to manually configure your browser to use a proxy server, it is possible for you to end up using a proxy server without your knowledge when you’re signed onto a strange network. The network could have proxy auto-config enabled. It’s even possible to route all web traffic through a transparent proxy on the firewall, so neither you nor your browser know you’re using a proxy.

This is why some browsers display the certificate information in the address bar when you’re using SSL. If you’re reading Gmail and you see the certificate is signed by l337 h4xx0r5 LTD or anyone else other than Google, then you (hopefully) know something’s wrong. If it’s signed by something that looks almost like Google, though, will you give it a pass? Most people will.

It’s also why you should never, ever just click through a warning that says a certificate doesn’t match the domain name owner, or that a certificate is self-signed. Unfortunately, most people do click right through those warnings. Those warnings don’t necessarily mean there’s funny business going on, but frequently they do, and they certainly mean you should ask questions, and not just click through. Especially if you’re doing something that involves money.

If you have any interest at all in security, you should experiment by clicking on the notice that appears in your browser’s address bar when you visit a site protected with SSL. Learn how to recognize when a certificate is verified by a third party like Digicert or Thawte or Verisign.

So what should you do when you see a forged certificate? Close your browser, turn off your laptop, and leave. Simple, really.

But there’s another problem. Net Nanny relies on this property–whether it’s an unintended feature or a vulnerability depends entirely on your perspective–of SSL in order to work. So if you have Net Nanny installed, all SSL connections show certificates signed by Net Nanny. Which is fine, I suppose–you consented to it when you installed it–but if something upstream of Net Nanny turns around and hijacks the SSL connection, you’ll have no way of knowing.

Don’t get me wrong. SSL good for what it’s intended to do–keeping snoops upstream of you from reading your connection in transit. But don’t let yourself think it’s Fort Knox protection. It isn’t. Whether it’s like a $30 deadbolt or like the lock on your bathroom door is a matter of debate, but it’s definitely not like Fort Knox. It’s more than enough to protect financial transactions when you’re on a network that you trust. But if you spend a lot of time on networks away from home or work, you need something more. A VPN gives you the Fort Knox-like strength for that.

Because you never can have too much encryption.

If you found this post informative or helpful, please share it!