Sunday, 27 November 2011

To SSL or not to SSL

Update: November 29th, 2011. I have just noticed that Troy Hunt has posted an excellent article on SSL/TLS

I started a poll on LinkedIn. The question:
  • "Should web applications which process Personally Identifiable Information (PII) be legally required to use SSL/TLS? "
with a simple Yes or No answer. There is a link to the LinkedIn poll at the bottom of this blog. However, I suggest you read through the following thoughts before answering.

The question could have been:
  •  "Should web applications which process Personally Identifiable Information (PII)  use SSL/TLS? "
But that would have been easy. Most people would probably vote yes because SSL is A GOOD THING. The addition of  the "be legally required to" clause makes it more interesting.

What prompted this soul searching? I was recently looking through a UK based web site. The privacy policy states:
  • "We take your individual privacy very seriously. We aim to ensure that this website meets and exceeds all relevant legal and regulatory requirements, including the Data Protection Act."
Great  - until you see that they don't use SSL to protect account information. This includes name, address, phone number etc.  In fact, you could argue that this website processes sensitive personal data under the Information Commission's Office (ICO) definition. According to the ICO, sensitive personal date " needs to be treated with greater care than other personal data". But no SSL on said website.

Is SSL Already an EU Legal Requirement?
Does the Data Protection Act require SSL? The UK version of the Act is a bit vague. Principle 7
states you "should have security that is appropriate to:
  • the nature of the information in question; and
  • the harm that might result from its improper use, or from its accidental loss or destruction."
Then the question becomes: "is SSL appropriate"?  The website operator can argue that they considered using SSL, but concluded that it wasn't appropriate. The Irish Data Protection commissioner goes a bit further in their security guidance, stating that encryption:
  • "is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network."
So no clear answer. 

Why Don't Website Operators Use SSL?
Maybe it's because:
  • they genuinely don't even think about it. Although the little "https" lock on the browser is a fairly well known security measure. This is an InfoSec problem where awareness needs to be raised.
  • it is easy to say something like  "We take your individual privacy very seriously" but then do nothing about it.That's lip service..
  •  "Facebook don't use it - so why should we?" FB seems to be changing
  • it's too difficult to configure. It probably takes a while, but it isn't that difficult
  • it's because it's too expensive.  Google "SSL Certificate" and you can get a GoDaddy cert for €9.99
  • it kills performance. According to Google,"SSL/TLS is not computationally expensive any more."
  • SSL is broken and has been more or less every year since 1995. 
  • users will keep getting security warnings as content switches between secure and non-secure
  • apart from firesheep like utilities,  where is the evidence that the lack of SSL has really been exploited all that much?  
Reasons To Use SSL
SSL:
  • does raise the infamous "security bar"
  • is not too difficult to implement 
  • comes in at number 9 in the OWASP Top 10
  • is required by PCI DSS  
  • gives you a nice warm feeling inside
Conclusion
But back to the original question. "Should SSL be legally required when processing PII?" The problem with this approach is that a requirement like this is very difficult to enforce. I think it would be much better trying to persuade developers and website operators to implement SSL rather than trying to use the crude hammer of legislation. So I think I will vote NO.

Here is the link to the Poll itself if you want to cast your vote:







Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

5 comments:

  1. "it kills performance."
    -> A lot of people need more information on this, they either don't believe it or try reading Google's paper and give up due to a missing "enable fast SSL" button in the UI.

    "SSL is broken"
    -> Surprisingly, what I heard some weeks ago when I was advocating secure credentials transport. Honestly, I don't really know how to answer an IT manager who tells me very confidently that Base64-encrypted password transmission is preferred for stability and confidentiality reasons. :)

    ReplyDelete
  2. I think that most peope don't think about it or suspect that it is too difficult to configure.

    ReplyDelete
  3. It does create extra overhead, but i don't think that really relevant for either the CPUs or the network involved.
    The real reason why not use it, its the CA sharks out there, after your pockets, demanding thousands of USD/year just to deal with some paperwork, make a phone call for ID verification (international call expenses aren't an excuse anymore. VoIP is mainstream), update CA databases and issue a signed certificate.
    Wow, that's tons and tons of hard work (NOT!).

    ReplyDelete
  4. netshark, i detect sarcasm there someplace or a certain jaded weariness!

    ReplyDelete
  5. alexisfitzg, Weariness not at all; a mix of sarcasm and true deception in the so called "user experience", as a had to deal with some of the CA sharks in the past.

    ReplyDelete