Troy Hunt, in his article “SSL is not about encryption,” says that SSL is about assurance and “establishing a degree of trust in a site’s legitimacy.” I have mixed feelings about the title, but agree with the points that Hunt makes. Here are some highlights:
- Users assume that high-profile sites (e.g., Facebook, Twitter, Dropbox) provide assurance even though they do not provide positive feedback of assurance. That is, although they use SSL, they do not present their logon pages over HTTPS and, as such, no positive security indicators are provided to the end-user.
- Some sites provide implicit assurance by providing an indication in the Web page (e.g., the ubiquitous padlock icon to indicate that the site is secure). This means nothing, can be misleading and create a false sense of security.
- Every major browser has the ability to proactively advise the end-user of the validity and authenticity of the site by providing positive explicit assurance.
- Due to man-in-the-middle attacks, not loading the logon form over HTTPS gives zero assurance of the authenticity of the site before submitting your credentials. This is further backed up by the OWASP SSL Best Practices.
- My favorite, “SSL is the only outwardly facing assurance that we have. It’s the one thing that’s ubiquitously used to create confidence in the integrity of the data and assurance of the site we’re transacting with.”