Gartner Blog Network


SSL Is About As Useful As Dumbo’s Magic Feather, But Security Blankets Are Hard to Outgrow

by John Pescatore  |  September 22, 2011  |  2 Comments

Jim Crow: You wanna make the elephant fly, don’t ya? Well, you gotta use a lot of ‘chology. You know, *psy*-chology. Now here’s what you do. First, you’ll uh…
Jim Crow: [all the crows whisper]
Jim Crow: And then right after that, you’ll uh…
[whispers continue]
Jim Crow: [plucks a feather from the youngest crow’s tail; he yelps] Use the magic feather. Catch on?
Timothy Q. Mouse: [accepting the feather] The magic feather?
[smiles, now getting the secret, then winks as he gives Jim an elbow in the wing]
Timothy Q. Mouse: Yeah! I gotcha.
[rushes joyfully to Dumbo, then places the feather at the end of his trunk]
Timothy Q. Mouse: Dumbo! Look! Have I got it! The magic feather! Now you can fly!
.
From the movie “Dumbo” Disney, 1941

Secure Sockets Layer was invented by Taher ElGamal at Netscape in the mid 1990s, back in the days when most network authentication protocols were totally open – since they were all written assuming they’d be carried over internal networks only. When the Internet joined the mix in the 1990s, attackers found it easy to install network sniffers and capture network logons and credentials – causing a lot of resistance to the idea of ever logging in or transacting over the Web. This begat the need for something like SSL and the little key turning blue to make people feel safe.

However, SSL in actual use has always had major security holes and while it made people feel safer. It has never been a strong security solution or “natively secure protocol” by any means. Recently there has been a continuing stream of  attacks against the use of Secure Sockets Layer SSL)/Transport Security Layer (TLS) recently. The lax security practices of certificate authorities have been exploited to issue fraudulent server certificates. The reality has been for years SSL server certificates provided little to no authentication assurance to users, they mainly served to support transport security to make sure password entry and cookie passing traveled over a security pipe.

However, more recently researchers developed a tool (BEAST) that exploited a known vulnerability in TLS 1.0 that allows attackers to actually decrypt data carried in SSL sessions. Uh oh – now SSL isn’t even good for transport security??

This TLS vulnerability has been known about since the early days of SSL. It is not present in the latest version of TLS, but TLS 1.0 is what is widely used. In order for attackers to exploit this, they must (1) inject code into the users browser and (2) have a man in the middle position as well. Doing both of these things makes it a non-trivial attack to launch, but the BEAST tools greatly simplifies this.

All of the major browser manufacturers do have patches to shield this problem, but they have been slow to release them because use of TLS version later than 1.0 breaks many older applications. The availability of this new attack tools and the publicity around it should drive the browser vendors to accelerate efforts to released updated browsers and Gartner’s standard advice is to prioritize all patches for critical vulnerabilities such as this one.

It took a loooong time for DNS security to get upgraded, ever longer for BGP security to improve, and SSL improvement or replacement will take just about as long.

Additional Resources

Category: 

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio


Thoughts on SSL Is About As Useful As Dumbo’s Magic Feather, But Security Blankets Are Hard to Outgrow


  1. Good post. I will be going through a few of these issues as
    well..

  2. Agreed Jake, Simon and equally applicable to Internal Employee Communications and the Digital Workplace.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.