SSL is the protocol that underlies most of the Internet’s encrypted traffic, and lately many people have begun to realize that SSL is flawed in a pretty obvious and easily exploited way.

SSL relies on certificates to setup a secure connection between computers. Generating a certificate is easy, and it’s possible to create a valid certificate for any address on the Internet. Certificate authorities (or CAs) ensure trust and prevent mayhem by validating the certificate owner is who they claim to be and then adding a signature to a certificate labeling it as legitimate.

When you visit a secure website, your browser gets a certificate signed by an authority saying that this website is authentic. The browser compares that signature against its own built-in list of known certificate authorities (and their public keys). How many authorities does your browser know about? Try more than 600!

The SSL certificate authority model works well if you assume the authority treats its super-secret private key like the gold in Fort Knox: the key is only handled by a small group of Internet priests who open the vault in a solemn ritual, remove the key, calculate a signature using nothing but slide rules and chalkboards, and then hastily return their private key to the sacred vault. Obviously, most CAs skip this time consuming and expensive process and trust their computer systems to manage their private key securely in a way that’s resistant to theft by outsiders.

If you think 600 different people can secure their data perfectly, then have we got news for you. I could throw a party for 600 of the smartest people in the world, and chances are good that one of them would forget to wear deodorant. You simply can’t trust 600 different certificate authorities to properly manage their private keys.

And this is the problem. All it takes to compromise SSL is to get access to a single private key from one of the 600 certificate authorities. Once I have that, I can create a certificate claiming to be any site on the web, and your browser will accept it without question.

Read more…

When your app gets hacked because of a bug in your code, that’s pretty bad.  But when your app gets hacked because of a bug in an underlying protocol that’s a building block of the Internet, then you’re looking at a really serious problem.

Such is the case with Twitter, which last week was shown to be vulnerable to a bug in the SSL standard.  SSL is the protocol that encrypts data going back and forth on the web, keeping our credit card numbers, usernames, passwords, and everything else safe and secure.  The trouble is, it’s broken and has been since the mid-1990s.

Right now, the IETF (the standards setting body for the Internet and the closest thing to an Internet Illuminati) has started drafting an update for SSL, but such things take time.  In the mean time, sites like Twitter are suffering the consequences.

Read more…