The cold truth: You are rarely secure when you connect to an SSL encrypted web site. The browser shows a happy little lock icon, and you think nothing further on the subject. But recent revelations and exploits, such as NSA, nation states and others scooping up vast quantities of Internet data, courts ordering websites to give up their SSL keys, Heartbleed leaking session data, have proven that we need to revisit the level of security used by web sites.
Install a browser extension such as Calomel's SSL Validation for Firefox or the Netcraft Toolbar for Firefox, Chrome, and Opera, then take a spin around the Internet. The results are not pretty. Your bank's website bragging about their convenient mobile banking? With those SSL parameters? No thank you.
There are many vectors to attacking SSL (and TLS). Generally speaking, brute force decryption isn't a viable path. Administrators have dutifully upgraded to RSA 2k certificates, if only because that’s all their certificate authority will now sell. So today the greatest weakness is the SSL private key itself, which is used to encrypt every session. Acquiring that key, even after the fact, allows an attacker to decrypt any past transactions that were encrypted by the key. Unfortunately this is not a theoretical scenario.
However, there is a simple solution. SSL and TLS support a feature called Perfect Forward Secrecy. Rather than directly using the SSL certificate (and key) for encrypting a client’s connection, PFS uses the SSL certificate/key to generate a one-time “ephemeral” key which is used to encrypt a single session, then discards the ephemeral key. Problem solved.
If it's that easy, what's holding back adoption? Glad you asked, as I shall now run through the top five excuses for weak SSL security and not implementing PFS.
Excuse 1: Lack of Infrastructure Support. PFS requires specific combinations of SSL settings to be negotiated, particularly the cipher suite, which uses ephemeral Diffie-Hellman for the key exchange. Most all current web servers, OpenSSL, and even OpenSSH support PFS and the requisite ciphers. Some servers are too old or fragile to upgrade. Other infrastructure, such as hardware based load balancers use hardware accelerator cards which may not support Elliptic Curve, DHE, or PFS. Fair excuse, but newer load balancers are available that can immediately resolve this issue with a few clicks.
Excuse 2: Lack of Browser Support. Adoption is certainly not as fast as it could be, but it is always increasing, with the exception of stubborn older IE holdouts that will soon be resolved. Mobile browsers tend to be on the cutting edge, supporting modern security features such as PFS. For older browsers that can’t negotiate PFS, they will simply negotiate a standard SSL or TLS connection.
Excuse 3: Performance Impact of PFS. For traditional RSA keys, PFS is an expensive proposition, approximately 3 to 4 times more computationally expensive. But for the newer Elliptic Curve Cryptography certificates, PFS adds little to no overhead. But even if you are still using RSA 2k certificates, so long as your SSL decryption infrastructure has available capacity, or can scale its capacity on demand, the performance excuse for either RSA or ECC should not be an issue.
Excuse 4: Implementation Complexity. The ideal implementation is to use an ECC certificate to negotiate fast SSL/TLS encryption with PFS, and simultaneously leverage an RSA certificate as a backup for compatibility with older browsers. Correctly prioritizing your SSL/TLS keys, versions, and ciphers is a challenge not to be underestimated. An afternoon spent reading white papers on ephemeral Diffie-Hellman will drive that point home nicely. But packaged solutions and modern load balancers provide single click to SSL happiness, and knowledge and awareness are making this easier than ever.
Excuse 5: Lack of a Compelling Event. If the headlines of NSA activities, Heartbleed revelations and others aren't compelling enough, then consider the tin foil hat customers like me, who are none too excited to frequent sites with the ugly red Calomel warning icon in front of their name.
If your top excuse for weak SSL security didn’t make my top five list, leave a comment and let your excuse be heard! Then take a look at Avi’s webinar on the advances in the SSL landscape and how to quickly improve your security posture with SSL Everywhere.