Secure Sockets Layer Enabled
Recent visitors to my website will have spotted that a small locked padlock now appears in their browser window. Firefox shows it as a green closed padlock just before the https:// in the URL.
This is a good thing because it means my newly acquired digital certificate has installed correctly and Secure Sockets Layer (SSL) is working.
SSL is a cryptographic technique used to encrypt traffic between users and a website. It gives a high assurance that the traffic between a client and server is private. SSL provides protection against man-in-the-middle attacks.
Visitors to such a website need understand nothing about the cryptographic process behind SSL other than to know that a closed padlock (or similar image) means their traffic with the website is protected.
If the padlock is open, missing, or their browser adds a warning symbol (often a coloured triangle and exclamation mark) then the user should be wary about the security of that site.
It’s a simple matter for the user to check what is happening behind the padlock by clicking on it whereupon all the relevant information will be revealed.
For example, here is a screen shot of my certificate details which any visitor to my website can see by clicking on the padlock.
If you receive a warning about the certificate for a site your are visiting, an open padlock for example, then clicking on that will show you what is the problem.
When I first enabled SSL on my website both Firefox and Chrome threw up warning signs against my website URL. This concerned me somewhat as I had followed all the steps detailed by my hosting company and my website security plugins.
The warnings regarded some unencrypted content mixed in with the encrypted content. Such mixed content on a web page can be indicative of a vulnerability on the page that could be exploited.
This is where the information provided by my browser when I clicked on the warning icon proved very helpful.
Take a look at the screen shot of the Firefox certificate viewer and note particularly the tabs at the top of the window.
Clicking the media tab displays all media embedded in that page including their individual URLs. On inspecting the list of media it quickly became clear where the problem lay.
My logo image had somehow evaded encryption and sat there in clear amongst all the other encrypted files. Hence the mixed content warning.
The fix was simply to reload the logo and once the website had updated and synced at the server, a matter of seconds, my little padlock locked and turned green. Success!
So what is going on behind that little padlock?
How Does SSL Work?
Here is my non-technical bite size overview of SSL.
First we need to take a brief look at encryption and how it is used.
Classic Symmetric Encryption
Classic encryption uses symmetric cipher keys. That is, the same cipher key is used to encrypt and decrypt the transaction.
This cipher key is a private key and both parties involved in the transaction must possess identical keys. Alice and Bob wish to exchange private messages:
Alice and Bob both possess a copy of the symmetric cipher key and associated encryption algorithm.
For Alice to send a secure encrypted message to Bob she must encrypt it with her copy of the symmetric private key. Her message is entered into an encryption algorithm, the private key is applied and the resulting cipher text (encrypted message) is transmitted to Bob.
When Bob receives the cipher text he enters it into the same algorithm, generally used in reverse of Alice’s copy, applies his copy of the private key and Alice’s original plain text message emerges.
If Bob wishes to send Alice an encrypted response he uses the same algorithm and cipher key.
The resistance of the encrypted message to brute force attack, and therefore its security, is dependent upon the strength of the cipher key. Generally, the longer the key the stronger it is.
The encryption algorithms are complex but widely known. Their security is due to the concept of ‘many eyes’ ensures correctness. That is, vulnerabilities should be discovered due the open nature of the algorithm.
Such public knowledge enabled the creation of encryption standards such as Advanced Encryption Standard (AES) which is widely used to protect government information as well as sensitive commercial information.
The strength of the actual encryption relies on the strength and protection of the cipher key.
Consequently, symmetric key encryption raises several issues not least of which is key management – how the keys are generated, distributed and protected.
Any exploitable vulnerability in the key management system exposes the symmetric key to compromise. Therefore, the protection of key distribution is critical to the security of this encryption method.
Symmetric encryption is computationally very fast so can be used for encrypting large blocks of data.
In 1976 encryption was changed forever by Diffie and Hellman (D-H) and their publication of a cryptographic key exchange system that could be used over public channels. This was the first publicly available incarnation of an asymmetric cipher key.
(Ellis, Cocks and Williamson, GCHQ, were credited with the first demonstration of public key cryptography in 1975. Their work was classified until 1997. The Secret Story – Bruce Schneier)
The D-H system allows parties to establish a shared secret key over an insecure channel. The secret key could then be used to encrypt communications via a symmetric cipher key. Here are Alice and Bob again:
Using a public key encryption system Alice encrypts her message to Bob with a public key provided by him.
When Bob receives Alice’s cipher text message, using the same algorithm as Alice, he applies his private key, which only he holds, to produce the original plain text.
For his reply, Bob encrypts his message with Alice’s public key.
Alice decrypts Bob’s message with her private key, which only she holds.
This method is generally known as Public Key encryption and is used in many Internet services.
Asymmetric encryption is computationally complex and therefore slow relative to symmetric key encryption. Consequently, asymmetric encryption is usually used for encrypting small blocks of data.
Bringing them together
Asymmetric encryption can be used to transmit a symmetric cipher key over an insecure channel. This is where asymmetric encryption comes into play in SSL.
SSL is used to secure Web communications. That is for things such as Webmail or accessing a Website that processes or stores sensitive information – passwords, financial information, etc, etc.
The Secure Hypertext Transfer Protocol (HTTPS) uses SSL to create secure connections to web services.
Alice wants to access her web mail account:
Her browser, as the client, informs the Web server it wishes to connect.
The server presents a signed certificate – think of it as an electronic identity document – that proves it is what it says it is. The certificate also holds details of the server’s public key.
The server now sends its public key to the browser.
The browser generates a unique symmetric session key which it encrypts with the server public key then sends it to the server.
The server decrypts the symmetric session key with its private key and uses it to set up encrypted communications between it and Alice’s browser. It is at this point Alice sees the locked padlock symbol.
So, in summary HTTPS/SSL uses relatively slow public key encryption to exchange symmetric keys to enable fast encrypted communications between servers and clients.
Of course, there is a lot more happening when a SSL session is set up between a server and a client but the basic description above gives a flavour of the process.
Despite appearances SSL can be hacked in certain circumstances. For example, the Heartbleed bug affected OpenSSL allowing an attacker to gain access to the secret keys.
As long as servers using OpenSSL have updated to the fixed version they should be secure against Heartbleed.
Another possible attack is Decrypting RSA with Obsolete and Weakened eNcryption (DROWN). Servers that retain support for SSLv2 are vulnerable to DROWN attacks. Again ensuring server configuration is updated to current standards is key to defending against DROWN.
Sadly there are still believed to be possible exploits of SSL vulnerabilities mainly due to server configuration and lack of full understanding of how SSL works. If you plan to deploy SSL across your organisation or just on your website then you need qualified technical assistance to ensure it is deployed correctly.
I shall look at malware and common security vulnerabilities in a future blog article.
Throughout this brief article I have referred to Secure Sockets Layer. In fact, SSL has been superseded by Transport Layer Security (TLS) but SSL remains in use as the common (non-rigorous?) term for securing Web browser communications.
TLS has more security functionality compared to SSL but in general my description holds true at a non-technical level.