Thales Blog

SSL- Moving Forward

October 28, 2011

It's good news that Google have announced their continued expansion of the use of SSL which means that certain Google searches (and the results) will be encrypted. There's already been pressure to turn on encryption at corporate and domestic WiFi hotspots to prevent theft of passwords and other information by sniffers on the local hotspot but it must be remembered that this still only protects communication between the user's computer or phone and WiFi access point.

Traffic flowing on the wired network across the various hops and interconnection points that make up the internet to get to websites such as Google is typically unencrypted. The solution is for web site operators to deploy technologies like SSL to provide end to end encryption from the consumer all the way back to their site. It's good to see that https (aka SSL), is now gradually replacing http, even for free services like Google search.

However despite the onward march of encryption, SSL has recently suffered from some bad press. High profile breaches at public certificate authorities who are responsible for issuing the digital certificates or identities that enable our browsers to verify the authenticity of the sites we visit and concerns over the security of older versions of the SSL protocol itself are good recent examples. Any casual reader who browses the technology headlines must be confused; when they see the familiar padlock on the corner of the browser can they trust it or not?

What can the industry do to help? Two immediate things:

  1. At least make it easy to keep everything up to date: The browser itself is our first line of defence. Browser and application vendors should streamline and automate the process of pushing browser updates to clients. It shouldn't be necessary to perform a firmware upgrade or download megabytes of software to update the trusted certificate store on a workstation, tablet or phone. The 'app revolution' shows us that updates don't have to be painful.
  2. Enable online trust to be a true differentiator: Security isn't a binary choice of "secure" or "vulnerable" and simply using the SSL protocol is not sufficient to guarantee security. Users need the ability to differentiate between "very secure" and "probably secure" - after all the security you would like for a Google search is probably not the same that you would need for online banking. The concept of Extended Validation Certificates (EV) has started us down this path but now these schemes need to be extended to offer broader guarantees of website security. Over time browsers can use this information to show users the actual level of security that is being provided, end-to-end, offering a strong incentive for organisations such as banks, retailers and service providers to deploy the strongest defences for their websites and recognised by their customers for doing so.