Safe Socket Layer in Crosshairs of Hacker
Each Web protection system used by e-commerce companies would be checked by hackers. These days SSL Certificates are the basis of Web security. But as we know, the burglars have adapted to pick them since the invention of locks; and since the advent of alarm systems, they have adapted burglars to silence them. There is no security system which will not try to overcome such malicious parties. How secure is SSL, then?
SSL protection depends on the management and selection of the certificates. Not all Certificate Authorities are equal, and the authorities that are actively examining and reviewing the successful attacks against SSL will be the certificate authorities to which e-commerce companies should be directed. Hackers can take advantage of any weak point from server side to end user and they may find a way in even when SSL provides security. SSL vendors that provide server-side solutions by applying SSL and providing patches and constant time computing can help with security. Security depends on addressing vulnerability areas.
Vulnerability Areas
Certificate Authorities – There are over 600 certificate authorities that users are supposed to trust and all that a hacker has to do is find one that they can break into and that can compromise the program.
Routers close Authorities for Approvals – Committing a router close a CA. Will allow an attacker to read outgoing emails, change incoming Domain Name System packets and break the validity of a domain.
Compromise DNS Server – When a certificate authority is using that site. And, forge a victim-domain entry.
Network Protocol – Attacks on network protocol will enable TCP or BGP to access e-mails to the victim domain.
Malicious Certification – Parties may have requested a C.A. To grant a Domain Certificate. (In light of recent events, a government might maybe order one to serve a particular purpose).
The USENIX Security Symposium unveiled Certificate Revocation Lists, and the reasons for the revocation of those certificates. One of the reasons for the revocation of the certificate is “Certificate Authority Compromised.” For 248 instances in 2011, Certificate Authorities decided to mention this as the reason why the certificate was revocated. Such statements were made by 14 separate Authorities for Certificates.
An event like this would mean that protection for every HTTPS website may have been broken. SSL and certificate authorities have been required to be reviewed, but it is the C.A.s who are working to fix these flaws that should be pursued.
Effective / Potential Campaigns
BEAST- (Browser Exploit Against SSL / TLS) has found vulnerabilities in versions of TLS 1.0 or above. Versions of 1.1 or higher on many browsers are unavailable. So insecure versions on PayPal, Gmail, or other websites that allow hackers to eavesdrop. To decrypt cookies and allow access to user accounts, BEAST uses a piece of JavaScript and a network sniffer.
Lucky13– (Possible Attack Agent): HTTP Strict Transport Protection (HSTS) is a standard for helping browsers link via HTTPS to a website. Despite this, a user can connect and log in to HTTPS pages without the protections it offers. A tool called the SSLstrip can trick web browsers and users into believing they ‘re on SSL or HTTPS-secured pages when they don’t. One of the vulnerabilities this exploits is a poor chaining of cipher-blocks.
The Introduction of SSL Certificates
SSL Certificates will continue to be the cornerstone for web security, but these new and evolving threats must be addressed in order to pursue a forward path with vigilance.
The Certificate Authorities must carry out ambitious studies and inventions which are dependent on to protect the e-commerce environment in which society has become increasingly involved. It’s no surprise that SSL will be under close scrutiny from hackers trying to gain an advantage in every way they can, but as we see, SSL has become a powerful enough web security solution to push hackers to find other entry points to exploit.
Certificate Authorities which meet their customers’ what expectations and demands, must maintain the integrity of the SSL certificate as a solution in the light of these threats. Any who question SSL technology ‘s security need to look no further than the certificate authorities which first offered this product to them.