SSL is about assurance

Bruce Morton

Troy Hunt, in his article “SSL is not about encryption,” says that SSL is about assurance and “establishing a degree of trust in a site’s legitimacy.” I have mixed feelings about the title, but agree with the points that Hunt makes. Here are some highlights:

  • Users assume that high-profile sites (e.g., Facebook, Twitter, Dropbox) provide assurance even though they do not provide positive feedback of assurance. That is, although they use SSL, they do not present their logon pages over HTTPS and, as such, no positive security indicators are provided to the end-user.
  • Some sites provide implicit assurance by providing an indication in the Web page (e.g., the ubiquitous padlock icon to indicate that the site is secure). This means nothing, can be misleading and create a false sense of security.
  • Every major browser has the ability to proactively advise the end-user of the validity and authenticity of the site by providing positive explicit assurance.
  • Due to man-in-the-middle attacks, not loading the logon form over HTTPS gives zero assurance of the authenticity of the site before submitting your credentials. This is further backed up by the OWASP SSL Best Practices.
  • My favorite, “SSL is the only outwardly facing assurance that we have. It’s the one thing that’s ubiquitously used to create confidence in the integrity of the data and assurance of the site we’re transacting with.”

The bottom line: if you are going to get the most out of SSL, then it needs to be deployed properly. If you are a website operator, consider following the recommendations of OWASP, SSL Labs and EFF.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation