SSL Security Issues on Websites and Online Stores

SSL Security Issues on Websites and Online Stores

When communication between parties takes place over the internet, there is always risks. If a customer is sending payment instructions to your store using your online facility, the last thing you ever want to happen is for an attacker to be capable of intercepting, reading, manipulating or replaying the HTTP request to the online application. The consequences can be unimaginable when an attacker is able to read your session cookie, or to manipulate the payee, product or billing address, or to simply inject new html or Javascript into the markup sent in response to a user request to the store. We will discuss SSL security issues on websites and online stores.

SSL Security Issues

Protecting series data or private data is always a serious issue and concern among many.

Application and browser users have an extremely high expectation in this regard. This places a high value on the integrity of their credit card transactions, their privacy and their identity information.

Algorithms Have Known Weaknesses

One of the primary SSL security issues is that some of the algorithms that are still supported have known weaknesses. However, it can’t be easily phased out because many end-user devices do not support newer protocols.

Also, the scrutiny facing OpenSSL following its recent security flaws is resulting in more vulnerabilities findings at a faster rate. Configuration during implementation often leaves organizations unknowingly vulnerable as well.

Misconfigurations

Misconfigurations is one of the most crucial issues. This is because fixing these is only possible if the owner of the system has the necessary knowledge to understand the issues and how to fix them without breaking their system for the users.

Issues with Certificate Authorities

Numerous Certificate Authorities

Browsers have a built-in list of trusted certificate authorities. They only trust certificates issued by these certificate authorities. If you ever visit https://example.com, you will notice that the web server at example.com would present an SSL certificate. Your browser would check to make sure the website’s SSL certificate was issued for example.com by a trusted certificate authority. If the certificate was issued for another domain or it wasn’t issued by a trusted certificate authority, you’d notice a serious warning in your browser.

On major issue is that there are so many certificate authorities, so problems with one certificate authority can affect everyone. For instance, you may get an SSL certificate for your domain. However, someone could compromise or trick another certificate authority and get a certificate for your domain, too.

If so many certificates have been issued by trusted certificate authorities without verifying that the addresses are even valid initially, it’s only natural to wonder what other mistakes they’ve made. There might have also been unauthorized certificates for other people’s websites to attackers.

Fake Certificates

There are so many certificate authorities, they’re all around the world, and any certificate authority can issue for any website. Therefore, governments could compel certificate authorities to issue them an SSL certificate for a site they want to impersonate.

There was a recent issue of this in France, where it was discovered by Google that a rogue certificate for google.com had been issued by French certificate authority ANSSI. This authority would have allowed the French government or whoever else had it to impersonate Google’s website, easily performing man-in-the-middle attacks. The certificate was only used on a private network to snoop on the network’s own users, not by the French government, according to ANSSI. Even if this were the case, it would be a violation of ANSSI’s own policies when issuing certificates.

Man-in-the-Middle Attacks and Unicode Characters

Unfortunately, man-in-the-middle attacks are still a possibility with SSL. In theory, it should be safe to connect to a public Wi-Fi network and access your bank’s site. The HTTPS connection assists with verifying that you are actually connected to your bank.

Although, in practice, it could possibly be dangerous to connect to your bank’s website on a public Wi-Fi network. There are a few off-the-shelf solutions that can have a malicious hotspot perform man-in-the-middle attacks on people who connect to it. For instance, a Wi-Fi hotspot might connect to the bank on your behalf, while sending data back and forth and sitting in the middle. This could sneakily redirect you to an http page and connect to the bank with HTTPS on your behalf.

It it also possible that it could use a “homograph-similar HTTPS address.” The address will look identical to your banks’ on the screen. However, it will actually use special Unicode characters so it’s different. Lastly, there is a type of attack known as a internationalized domain name homograph attack. If you study the Unicode character set, you’ll notice characters that look basically identical to the 26 characters in the Latin alphabet. For example, the o’s in the google.com you’re connected to might not actually o’s, but are other characters.

These are just a few SSL security issues. For more information, don’t hesitate to contact Centennial Arts with the link below!

Leave a Reply