One question that I ask in any training class that I conduct, is “What do you do to protect your applications?”. A very common answer is “SSL”. One more thing that I have noticed is that most people think that sending data over SSL will protect web applications against all attacks.
What is SSL?
The first thing to do is to understand what SSL is. SSL stands for Secure Socket Layer, a transport security protocol that is used to prevent unauthorized viewing or modification of communications over the internet.
How does SSL work?
When you try to browse an SSL enabled site, for example https://www.website.com, a secure connection is established. This process is called the “Handshake”. During this process, the server sends its SSL certificate that contains its public key which is part of a key pair. The other key of the pair is known as the private key. Any data encrypted by the server’s public key can only be decrypted by its private key. The public key, as the name indicates, is known to all but only the server has the private key. Once the certificate is verified, the browser generates a session key and encrypts it with the server’s public key. This is sent to the server, which uses its private key to decrypt and obtain the session key. Both sides will now have a session key known only to the two of them and all communication between the browser and the server is encrypted and decrypted with the session key.
What does SSL do?
SSL provides the following protections:
1. It ensures that if a third party intercepts the encrypted communications, they cannot see or modify the actual data. In other words, it protects data in transit from the time it leaves the browser to the time it reaches the server.
2. It also assures the browser (or user) that the server is actually who it claims to be. In other words, it protects against a third party claiming to be the legitimate destination of the data, since the browser can verify that the certificate has been issued by a trusted Certifying Authority.
What does SSL not do?
SSL does not protect against a whole lot of attacks.
1. Parameter tampering attacks that modify the values of URL or other parameters in a request at the browser.
2. Scripting or SQL injection attacks.
3. Data on the client computer.
4. Data after it reaches the server and is decrypted.
5. Data at rest, such as that in a Database.
6. Social engineering attacks that involve data access or manipulation either at the client or the server.
Points to remember
It is important to understand that SSL is just one piece of the security infrastructure. Relying on SSL alone to provide security for web applications is not a good idea. It plays a significant role in protecting data and should be used whenever personally identifiable information or sensitive information is transmitted.