WHY SSL IS NOT ENOUGH - A VIEW ON FREE SSL

This post is about website security and is a response to this article on econsultancy which tells of how amazing free ssl for all websites will be. In short, free ssl is not amazing. To understand why singing and dancing about free SSL isn't the way to go we need to first understand what SSL actually is:

SSL (the Secure Sockets Layer) and its precursor TLS (Transport Layer Security) are security protocols used across networks around the world, including the world wide web. They are both cryptographic protocols used to encrypt communication over a public (or indeed private) network.

An SSL certificate is as strong as the cryptographic ciphers it is using, as time moves on more an more sophisticated ciphers are being used - mainly as older ciphers are falling and failing due to massively increasing computing power. A cipher in its most plain form is a mathematical formula designed to encrypt and then decrypt.

As I say SSL is designed to encrypt communications over a network, this is to say between two machines the data sent is encrypted with only the two end machines being able to "unlock" the cipher to view the 'message'. In this case between your computer browser (say Google Chrome) and a webserver (the website) ... It starts with a handshake in which you agree the cipher (the older your computer or the webserver - or the more badly set up the web server) the less secure of a cipher you are likely to use.

Here is where Free SSL falls down, and where Patricio is wrong.

SSL for SSL's sake is none sense, it will simply lower every user into a false sense of security.

Yes your data is encrypted in transit between your machine and the website but that does not mean that your data is secure (and this is regardless of the cipher being used). Your data is not encrypted at rest unless the website and server are set up to do so.

Think of it like the photo at the top of the page, SSL is the wire fence between two gardens to get through you cut something into chunks and pass it through - you then rebuild it like for like. Great you've moved some data / an item but its not encrypted once rebuilt.

SSL can disguise the fact that a website is set up badly, that it's coded in a way that would allow hackers to leave malicious code or that they don't have any security protocols to encrypt your data on their server. This means that the SSL will have encrypted you data going towards the server but once it is there anyone could read it - so what use is that.

For exmaple if an online shop asks to store your bank card details but is badly set up then those details may just be a block of text in the database, ready to be pulled out and used again on the site without decryption - or more worrying if the site is hacked that non-encrypted data could be used by hackers to clear your bank account.

Think about everything in the news recently about how even bigger sites get hacked, these all have SSL installed but it doesn't stop your data being lost and used. If the data is sensitive it should be encrypted at rest, not just in transit (which only protects against eavesdropping).

Patricio's article at it's heart is about telling every website owner that they should use a Free SSL (in this case from the forthcoming Lets Encrypt), and says that this is a good "first step" in promoting data security. This too is incorrect.

Regardless of whether the SSL is free or not (I don't really care about the price), SSL for all sites is NOT a good first step.

A good first step would be for developers to have an understanding of network security from the ground up - understanding how handshakes work, how to secure data at rest (and not just in transit), how to build security into a website (even if its just to stop form code injection hacks) and much more.

A good first step would be for universities or colleges teaching students how to code ANYTHING (from software to a website) for security, implementing multiple types of security measure and not relying on a single instance (i.e removing the idea of "its behind a login so it must be ok").

Another good first step would be to truly educate the users of the web that SSL should never make you trust a website alone. If a website looks badly put together, it probably is and your data will be at risk. (And this is a message directly to Barclays Bank who's TV advert says "just look for the green lock and the site is secure" No it isn't!).

There is much more to security online than just having an SSL certificate installed, anyone can do it - but on its own SSL doesn't protect you or your users one little bit from your site being hacked and that data being lost and usable.

My Views About Free SSL

Let's Encrypt / Free SSL in this manner feels good, but lets be honest we've seen it before and we will again, SSL can be spoofed. SSL can be manipulated and you can become a CA of sorts and there has even been false CA's been found in Microsoft's chain. We've seen SSL CA's dumped from the trusted listed because this became common and the SSL's they gave out were useless.

Now whilst I doubt this will have with Let's Encrypt, I do feel that free ssl's will simply devalue them and security they are in theory meant to bring - or rather that users are taught they will bring.

The reality is that unless Let's Encrypt is also about educating users and developers that SSL isn't everything then whats the point.

SSL on it's own for SSL's own sake is worthless.

If you'd like to read more about how SSL works and why SSL on its own isn't worth much, here are some great resources: