6.7. SSL Security

Ironically, most experts believe that although SSL provides an excellent secure channel with strong encryption and authentication, it does a poor job at its original purpose of protecting Web transactions. This is not a weakness of the SSL protocol itself but rather a result of the way browsers implement it. The problem is that although SSL can verify the identity of a server, the browsers do a poor job of informing their users of that identity in a way that allows them to make an informed decision about whether the connection is with the server that they intended.

Bruce Schneier's description of the problem [Schneier 2003] is typical: "Imagine you are sitting in a lightless room with a stranger. You know that your conversation cannot be eavesdropped on. What secrets are you going to tell the stranger? Nothing, because you have no idea who he is. SSL is kind of like that." Of course, we do tell that stranger our secrets. The current epidemic of so-called phishing attacks, where users are duped into connecting to a dummy site, is an example of this.

An excellent analysis of the security aspects of the SSL 3 protocol is presented in [Wagner and Schneier 1996]. Although the authors identify a few small problems, they conclude that, by and large, the protocol provides excellent security against passive attacks and, except for a couple of protocol issues that could lead to implementation errors, against active attacks as well.

Canvel, Hiltgen, Vaudenay, and Vuagnoux [Canvel, Hiltgen, Vaudenay, and Vuagnoux 2003] combined Vaudenay's attack on CBC padding [Vaudenay 2002] with a timing attack, and used it to recover passwords for an SSL-secured IMAP server. The timing attack takes advantage of the difference in time it takes the server to check for correct padding versus a correct MAC. Because most SSL servers at the time reported the error as soon as they detected it, the attacker was able to discern whether the padding was correct and thus apply Vaudenay's attack.

This attack is made possible by an implementation error, of course, and SSL servers now take pains to make sure that the timing attack won't workby always performing both tests before reporting an error, for example. Because most SSL servers default to RC4 encryption, which is not vulnerable to Vaudenay's attack, this exploit had little practical importance except to illustrate, once again, the dangers of leaking even seemingly innocuous information.