Many of us have become familiar with the idea of Secure Sockets Layer (SSL), even if you’re not aware of the fact that it’s called SSL. This is the protocol that encrypts much of your communication on the Internet, denoted with an “https” at the beginning of the URL as opposed to the standard “http.” I’m not going to get into a lot of the technical details of the protocol because, well, they don’t really matter at this point.
The unfortunate reality is that many of us see that little lock icon or that “https” in our browser and we assume that our communications from that point on are secure. We’re comfortable performing bank transactions, logging into our favorite social networking site, or sending that personal email that we really don’t want anyone else seeing because we’re confident that no one else can see what we’re doing. As those of us in the infosec industry have known for a long time, however, you couldn’t be more wrong.
There are some very common, and in some cases very old, methods for subverting SSL and snooping on your communications. Today we learn from The Trustworthy Internet Movement that 90% of SSL “secured” sites are vulnerable to these attacks.
This goes to further underscore that we should all be practicing the age-old (and now cliched) principle of ‘Defense in Depth’, as well as assuming that everything that you do on the Internet can be spied on. This shouldn’t preclude you from engaging in sensitive activity online (does the fact that the waitress can copy your credit card information stop you from handing it over when you’re paying for a meal?). Rather, it underscores the fact that we must all be aware of the risks associated with the activities that we engage in, and understand that there is no silver bullet security measure protecting us.