2

I know that there have been broken or weak SSL implementations. Do browsers actually have decent standards for what they'll accept and display "the padlock"?

Furthermore, are there any practical attacks from an eavesdropper perspective against a fully modern SSL connection?

Should the padlock make me feel warm and fuzzy?

Cory J
  • 370
  • 1
  • 2
  • 8
  • [See also this related question for mobile devices](http://security.stackexchange.com/q/12555/396) – makerofthings7 Mar 14 '13 at 16:27
  • 3
    See this [fantastic answer regarding desktop browsers](http://security.stackexchange.com/a/9381/396) – makerofthings7 Mar 14 '13 at 16:28
  • 1
    possible duplicate of [Are address bars unphishable?](http://security.stackexchange.com/questions/9336/are-address-bars-unphishable) –  Mar 14 '13 at 16:36

5 Answers5

7

Browsers use the padlock to show that they use SSL. If:

  • your browser is recent enough;
  • you did not play with the security settings;
  • the browser did not display a Scary Warning (not always red, but definitely scary);
  • nobody installed on the machine some funky software (including software from your specific organization, which could install a custom trusted certification authority);

Then yes, the padlock gives reasonable assurance that you are really talking with the server you expect (not really the one you think of, rather the one with the name in the URL) and nobody spying on the line may see what you are exchanging with the server. The assurances are up to the competence of the 80+ certificate authorities which your browser or operating system trusts by default. Strangely enough, big mishaps on the CA side seem to occur only rarely, about once per year on average (in the whole world !).

Of course, if your browser is not recent then it has serious vulnerabilities and your machine is as good as hacked. If you played with security settings then you may have enabled cipher suites with little or no security. If your browser displayed a big warning and you ignored it, then you are on your own. If hostile software is running on your machine then it no longer is your machine.

And SSL only protects the transport medium. The server on the other side is free to goof up in arbitrary ways. When credit card numbers are stolen, they are not eavesdropped on the line; they are plundered directly from the server's database. The padlock says nothing about robust and secured the server is.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • "nobody spying on the line may see what you are exchanging with the server" is not exactly true. If someone is watching the traffic, they can still see what is being transferred, but it is encrypted, if things are working as they should. So, if they were to have a method to decrypt it, then they could see what you were exchanging. – Gary S. Weaver Mar 14 '13 at 21:12
3

No, the padlock should not make you feel warm and fuzzy, all it means is that the browser has connected to a destination with SSL. This is a good thing in general, however it should not lull you into thinking that your data is completely secure because:

  • There could be a Man in the Middle. This could simply be a corporate proxy terminating all SSL connections, or it could be an attack of some sort.
  • The browser doesn't know the level of encryption that is being used. A browser uses the OS's stack to open an SSL connection, so if the OS supports weak encryption like 3des or RC4, and the OS negotiates that between itself and the server then all the traffic could be decrypted much easier than if strong encryption like AES was used

It's certainly better than no encryption, but seeing the padlock is not a guarantee.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • Which OSs support which algorithms then? Is MITM eavesdropping practical on a "good" SSL connection? – Cory J Mar 14 '13 at 16:36
  • TLS has more protection from MITM attacks, but is still vulnerable. Different OSes support different algorithms, you'd have to look into your specific OS. – GdD Mar 14 '13 at 16:58
2

So what does the lock really mean? The average user is not educated on this topic, and to to this user it just makes them feel safe. But, really any picture of a lock makes people feel safe, even a favicon of an ssl/tls lock was enough to fool most users.

To the browser, the TLS connection that the lock represents is a useful tool to prevent attacks like Firesheep and comply with OWASP a9. (And YES, StackOverflow and the StackExchanges are vulnerable). However, this protection doesn't scale very well. There are a very large number of CAs that can produce a valid certificate. If you adversary falls into the realm of state-sponsored attacks, then a public CA's signature doesn't guarantee anything. (There are a lot of examples of governments abusing the PKI.)

SSL/TLS is still a very useful protocol, its just the PKI that is broken. Certificate Pinning is a good solution to the PKI's shortcomings. An application can still rely upon the secrecy, and integrate of SSL/TLS while relying upon a non-CA system for Authenticity.

Obligatory: Moxie Marlinspike and the future of authenticity.

rook
  • 47,004
  • 10
  • 94
  • 182
1

This is really a complex question that requires a fairly comprehensive understanding of how SSL works. First, at the browser level, in some cases, there is a way to make a lock appear as a site icon rather than an actual SSL indicator.

Then, SSL doesn't actually indicate that you are talking to who you want to, but rather just that the URL the browser is going to matches up with the certificate that is presented by the host and that the certificate was signed by a CA that appears in your browser's trusted Certificate Authorities (which is a locally maintained list).

In order to be sure that things are secure, you should look at the certificate details to ensure they are valid and for the site you intended to go to. This can normally be done by clicking or hovering over the lock icon. You also should be aware that if your computer is compromised with a virus, it may be possible for an invalid CA to be added to the local store which could result in a false site being indicated as valid under the bogus CA.

As far as the actual communication goes, SSL will ensure that the communication can't be eavesdropped on, but the lock is not a strong indicator that you are talking to the correct party without doing some additional digging and being vigilant to ensure that your computer is in good working order and not infected with malware locally.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
0

The padlock image can be a faked, I wouldn't look to that for any sort of assurance.

If the URL itself is using the protocol HTTPS, then you at least know that your data is being encrypted over transit in some matter of SSL or TLS. As @GdD pointed out, SSL/TLS have some inherent weaknesses, which can be exploited. Furthermore, we are seeing an increase in attacks and exploits that are being released against SSL/TLS (see this ArsTechnica article I just read this morning).

Your original question was seeking "...indicate a reasonable assurance against eavesdropping?". As stated, with the padlock image itself, my answer is "no". However, over HTTPS, my answer is "yes" as long as you remember the key word in your question of "reasonable", not "absolute".

Awhitehatter
  • 361
  • 1
  • 4