Exposing The SSL Encryption

~ Prateek Joshi

In my previous blog post, I couldn’t discuss much about SSL encryption. I didn’t want to deviate from the main topic. So here, I discuss about the loopholes in the protocol. I have tried to simplify it as much as possible. SSL stands for Secure Sockets Layer and it is a protocol for secure communication over the internet. It just provides enough security to keep attacks at bay, but if someone reeeeally wants to get in, SSL will not be able to stop the attack. Here’s why:  

Authentication: SSL only provides one-way authentication and web services require bi-directional. It means that on the web, provider needs to know who is requesting the service and the requesters need to confirm that the providers are who they say they are. Malicious websites can use this loophole to target innocent users or the hackers can use this to hack into websites.

Authorization: SSL cannot authorize users. With SSL alone, the web service doesn’t know on whose behalf the SOAP request is being generated (SOAP is a protocol for exchanging structured information on computer networks).

Encryption: SSL encrypts the data stream but may leave unencrypted data exposed. This data can be accessed by hackers and used to their advantage.

Integrity: SSL doesn’t provide digital signatures to detect changes in encrypted data. If a hacker tries to intrude and change the encrypted data, SSL will not be able to detect it.

Auditability: SSL doesn’t provide end-to-end audit trail required by web services for dispute resolution. Let’s say that the user and the server engage in a transaction exchanging information. Later, if a dispute arises over the contents of that transaction, neither party can demonstrate which version of the transaction is correct. SSL doesn’t provide any logging or time stamp to avoid such a situation.

Content Filtering: SSL cannot look inside the contents of a message to enforce the policies and rules. A good hacker can cleverly modify the contents to his own advantage.

The tricky part is to hack the system without getting caught. If a thief enters a house and gets caught, there’s no real advantage there. Even though the lock was not that safe, the backup was safe enough to catch the thief. So here, the hacker has to be sneaky enough to infiltrate the system without allowing the server to detect any intrusions.

 

 

 

 

 

————————————————————————————————-

Published by Prateek Joshi

Founder of Plutoshift. Author of 13 books on Machine Learning. Featured on Forbes, NBC, Bloomberg, CNBC, TechCrunch, Silicon Valley Business Journal, and more. Speaker at conferences such as TEDx, Global Big Data Conference, Machine Learning Developers Conference, and Sensors Expo. You can learn more about me here: www.prateekj.com

2 thoughts on “Exposing The SSL Encryption

  1. Pingback: Hack Me Once, Shame On You. Hack Me Twice, Shame On Me. | Perpetual Enigma
  2. Pingback: Operation Aurora | Perpetual Enigma

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s