SSL – Privacy, Integrity, Authenticity
I was recently reminded by a couple of security researchers that SSL provides privacy, integrity and authenticity. This isn’t something they just thought of. This is documented from the beginning of SSL deployment and referred to in an April 1995 IETF meeting.
These characteristics are as follows:
Privacy – Data is encrypted for an intended recipient.
Integrity – Provisions in the protocol do not allow the contents to be intentionally or unintentionally modified.
Authenticity – Digital certificates are used to provide a verified identity. The certificates are signed by a trusted third party (TTP). The TTP is a certification authority (CA). The CA signs the certificate attesting proof the identity has been validated. The browser verifies the identity assertion from the CA. Authenticity is provided for the server and can be provided for the client.
For me, the bottom line is SSL delivers trust.
The trust of SSL is always increasing. This is accomplished by browser manufacturers, CAs, security researchers and large certificate subscribers working together to determine issues and implementing solutions. Here are some items being addressed:
- CAs can provide trust to all domains. More than one CA can provide trust to the same domain. There is no registry or control, and some CAs may issue to a domain when they are unauthorized. There are two mechanisms being put into place to help control the issue. Certificate Authority Authentication (CAA) will be used to allow a CA to determine whether or not they have authorization to issue for a domain. Certificate Transparency (CT) will be implemented to allow website operators to see if an unauthorized certificate has been issued to one of their domains and to provide a trust dialogue to users when a certificate has been mis-issued.
- In the past, certificate management and issuance standards have not been defined. CAs have performed different functions and methods to provide a certificate at the same level of security. The CA/Browser Forum has developed a standard for EV certificates and minimum baseline requirements for all publicly-trusted SSL certificates. These standards provide a level at which all CAs can base their procedures.
- Browsers provide security functions differently. Users do not get the same look and feel for security in each browser. Hopefully, the IETF Web PKI working group will document the problems, then steps can be taken to resolve them.
- Certificate subscribers make many deployment mistakes, which reduces the security that the SSL can bring. Website operators can check their sites to see how they hold up to deployment standards as described by Qualys SSL Labs. They can also review the most popular SSL deployment mistakes and take action.