Online merchants are shooting themselves in the foot with faulty SSL deployments that trigger alarms scaring customers away before they have the chance to complete transactions.
The problem is not with SSL technology, but with factors surrounding its implementation that hurt security or the perception of security, either of which can undermine customer trust, says Ivan Ristic, director of engineering, Web application firewall and SSL services at Qualys, who will present "State of SSL on the Internet: 2010 Survey, Results and Conclusions" at the Black Hat 2010 conference later this month.
Notable among the problems is the mismatch between the domain names listed on SSL certificates and the domain names of the merchants, he says. This mismatch triggers browser popup warnings that the certificate may be invalid, and at that point potential customers may choose to bail out of transactions, Ristic says. "We are creating a sense of fear among customers that there are problems around every corner," he says. "Technically, SSL is a very good protocol. The way we use it today is not very good."
At Black Hat Ristic will reveal the results of an extensive study he has led about usage of SSL and its newer incarnation Transport Layer Security (TLS) with the aim to address problems that appear on Internet sites. He is still crunching the numbers from his year-long survey of Web sites, but has a sense of prevalent issues. "There is some evidence that 50% of all SSL problems are due to misconfiguration and do not come from any vulnerabilities as such," he says.
In many cases, once users recognize the shortcomings of their implementations, they could fix them in an hour or so, greatly improving site overall security.
He says his talk will focus on three areas: the certificates; which version of SSL is used; and configuration weaknesses in type of Web server, cipher suites and protocol support among others. The survey looks for sites using known insecure versions of SSL that should have been replaced and other bad practices that undermine security, he says.
The goal of research by SSL Labs is to find best practices among real SSL sites in use today. So far, the study has tried to find as many SSL servers as it can on the Internet, and Ristic decided to do so by connecting to as many of the 193 million registered domain names as possible. He readily got all the .com, .net, .org, .biz, .us and .info names, which gave him the 119 million he started with.
Then he weeded out the ones that looked unpromising -- those that failed to resolve (12.4 million) and those that failed to respond (14.6 million). Of the remaining 91.65 million, only 33.69 opened port 443, which is designated for SSL. Of those, 22.65 million were actually running SSL through the port.
According to SSL Labs' criteria, certificates with domain names that don't match the sites' domain names should be considered invalid, ruling out another 21.93 million. That left just 719,093 SSL sites worth considering further to find out how to do SSL right, he says.
The expense of setting up SSL sites through Web hosts may also be a factor in bad implementations, Ristic says. Businesses that want to process customer transactions online need SSL, and if they want to use their own SSL certificates that feature their domain names, they also need unique IP addresses. There are hosting services that share SSL certificates among customers, but these will run into the problem of the certificate domain name not matching the business domain name.
Hosting SSL servers on virtual machines as part of hosting providers' services is needed to drop the cost of properly carried-out sites, Ristic says. That is a work in progress, he says.
Improved online sales also depend on performance of SSL sites, and that performance will be the subject of later reports by SSL Labs, he says.