October 11, 2011, 10:24 AM — SSL/TLS, the protocol that protects security of e-commerce, has taken a beating lately, with news items ranging from the violation of certificate authorities to the discovery of an exploit that beats the protocol itself.
With all the noise about SSL/TLS it's easy to think that something is irreparably damaged and perhaps it's time to look for something else.
But despite the exploit -- Browser Exploit Against SSL/TLS (BEAST) -- and the failures of certificate authorities such as Comodo and DigiNotar that are supposed to authenticate users, the protocol has a lot of life left in it if properly upgraded as it becomes necessary, says Taher Elgamal, CTO of Axway and one of the creators of SSL.
MORE: With SSL, who can you really trust?
The problem lies not in the SSL/TLS itself but in the trust framework built around it and the problems that causes when it comes time to patch the protocol to fix vulnerabilities. Network World Senior Editor Tim Greene spoke recently about these issues with Elgamal. Here is an edited transcript of that conversation.
The flaw exploited by BEAST has been around since 2004. What's up with that?
The problem is complex. It started with, yeah there is a weakness in the security protocol and we ought to recognize that and we have to go update it and fix it. That was before the whole BEAST thing -- the practical attack, so to speak.
All the different browsers in the world are using TLS which is known to have that weakness. It's important to understand what that attack really is.
The way the BEAST thing's deployed is you have to have a piece of malware on the browser that can inject certain things to force the browser to produce cookies so that these cookies are passed into the channel. Then they have to have a man-in-the-middle point that allows them to actually get the encrypted data. So you have what is called a chosen plaintext attack -- you choose the plaintext and you read the ciphertext and you try to match these up and find out what the keys are. It's very, very clever. There's no question about it.
Now, from a practical standpoint, the real problem is you have to have malware on the machine. Honestly, if I can put malware on your machine, I'm not going to be bothering with your SSL because I can see all the data before it gets encrypted.
It became very public because there are some 2 billion browsers and all of them use SSL for one thing or another and all e-commerce uses it and we should be careful. But obviously if you have a protocol that does not have any security problems -- that does not exist.
