116

From the view of somebody offering a web application, when somebody connects with TLS (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over this line, or can it be that there is still eavesdropping?

This question was IT Security Question of the Week.
Read the Jul 29, 2011 blog entry for more details or submit your own Question of the Week.

SDsolar
  • 977
  • 1
  • 6
  • 25
Peter Smit
  • 2,749
  • 3
  • 23
  • 25
  • 4
    Can you clarify your threat model? There are some great answers here, but different ones are right depending on what you're worried about and the value of the data. A sufficiently motivated attacker could get at the data in nearly all cases, but it may not make sense to lose sleep over that if you're just trying to keep someone from, e.g., stealing access to an inexpensive service. – nealmcb Dec 08 '10 at 01:45
  • 1
    Also, are we assuming that there is no MitM? – Ormis Apr 19 '11 at 20:17
  • 2
    This is a very broad question, and there are already a lot of answers to parts of it on the site. Start off with the Wikipedia article and look thru the questions tagged ssl here: http://security.stackexchange.com/questions/tagged/ssl If you don't see your specific questions addressed, let us know! – nealmcb Apr 27 '11 at 18:50
  • 2
    Not if you need to follow a regulatory framework like [NIST SP800-52 Rev.1](http://csrc.nist.gov/publications/drafts/800-52-rev1/draft_sp800_52_r1.pdf) that lists specific cipher suites, or [FIPS 140-2 Annex A](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf), which lists algorithms, or standards like [ISO/IEC 18033-3:2010](http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531), also specifying algorithms. In these cases, you need to narrow down exactly which ciphersuites are allowed. See also [SSLLabs](https://www.ssllabs.com/) – Anti-weakpasswords Feb 14 '14 at 05:05

18 Answers18

96

It's important to understand what SSL does and does not do, especially since this is a very common source of misunderstanding.

  • It encrypts the channel
  • It applies integrity checking
  • It provides authentication

So, the quick answer should be: "yes, it is secure enough to transmit sensitive data". However, things are not that simple.

  • The newest versions of SSL - version 3, or better yet: TLS, even TLS 1.2, are definitely better than previous versions. E.g. SSL 2 was relatively easy to MITM (Man in the middle). So, first it depends on protocol version.
  • Both the channel encryption and the integrity checking are configurable in the protocol, i.e. you can choose which algorithms to use (cipher suite). Obviously, if you're using RSA1024/SHA512 you're much better off... However, SSL even support a mode of NULL encryption - i.e. no encryption at all, just wrapping the requests up to tunnel over SSL protocol. I.e., no protection. (This is configurable both at the client and the server, the selected cipher suite is the first matching set according to the configured order).
  • Authentication in SSL has two modes: server-authentication only, and mutual authentication (client certificates). In both cases, the security ensured by the cryptographic certificates is definitely strong enough, however the validity of the actual authentication is only as good as your validity checks: Do you even bother checking the certificate? Do you ensure its validity? Trust chain? Who issued it? Etc.
  • This last point re authentication is a lot easier in web applications, wherein the client can easily view the servers certificate, the lock icon is easily viewable, etc. With Web Services, you usually need to be more explicit in checking its validity (depending on your choice of platform). Note that this same point has tripped up so many mobile apps - even if the app developer remembered to use only TLS between the phone and the server, if the app doesn't explicitly verify the certificates then the TLS is broken.
  • While there are some mostly theoretical attacks on the cryptography of SSL, from my PoV its still plenty strong enough for almost all purposes, and will be for a long time.
  • What is actually done with the data at the other end? E.g. if its super-sensitive, or even credit card data, you dont want that in the browsers cache, or history, etc.
  • Cookies (and thus authentication) can be shared between a secure, SSL channel, and a non-secure HTTP channel - unless explicitly marked with the "secure" attribute.

So, shorter answer? Yes, SSL can be secure enough, but (as with most things) it depends how you use it. :)

AviD
  • 72,708
  • 22
  • 137
  • 218
  • 3
    Perhaps it's also worth mentioning mixed content insecurity as another point? – apsillers Sep 29 '12 at 01:39
  • Maybe the first bullet should be updated? [Wikipedia states](https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0) as of 2016-04-20: `SSL 2.0 was deprecated (prohibited) in 2011 ...` / `SSL 3.0 was deprecated in June 2015 ...` – Martin Apr 20 '16 at 20:52
23

There are a few issues here, the major one being authentication. Both ends need to be sure they are talking to the right person or institution to thwart man-in-the-middle attacks. On your end it is crucial that you use an SSL certificate which is trusted by the user's browser. By doing so the user's browser can be sure that it is really talking to the correct site. Once the connection is established you can be sure to be talking to that user all the time and the connection is encrypted, i.e. secure against eavesdropping.

Authentication in the other direction (i.e. making sure you are talking to the real user) is usually handled outside of the SSL protocol on the application level by, e.g., username/password, openID or some other form of credentials.

As a last note it should be mentioned that during the SSL connection handshake client and server agree on a Cipher suite and the client could pretend to only do "null encryption", i.e., not encrypt any of the data. If your server agrees to that option, the connection uses SSL, but data is still not encrypted. This is not an issue in practice since server implementations usually do not offer the null cipher as an option.

bstpierre
  • 4,888
  • 1
  • 21
  • 34
Tronic
  • 331
  • 1
  • 3
  • Is there any SSL/server software that allows null encryption? If not, is that note really helping? If so, what are those? – Jörn Zaefferer Nov 11 '10 at 21:59
  • 3
    @Jorn, all SSL stacks I'm familiar with support null encryption *in principle*, it depends how they're configured. – AviD Nov 11 '10 at 22:00
  • 1
    @Jorn, yes, as AviD said, it depends on the server configuration. You can configure mod_ssl in apache to use null encryption (see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite) – Tronic Nov 11 '10 at 22:05
21

In addition to what AviD lists out, SSL is only as secure as the DNS infrastructure that directed you to that server, and any corporate proxies in the communication path.

If the DNS infrastructure is hacked (cache poisoning, etc) then the attacker could subject your user to many attacks.

In addition if the client is going through software like Fiddler, or a corporate proxy, that software can easvdrop on your SSL conversation.

To mitigate this, look at the "issuer" of the SSL certificate. If the SSL connection is going through a proxy, then the issuer will be that of the proxy. If you're going through a direct connection, then you will see the relevant publicly trusted CA.

[More information]

A corporate HTTPS proxy is something that manages the connection between the web browser and the Proxy (whose IP address appears in your webserver logs). In that case the web content (HTTPS password too) is decrypted, and later re-encrypted at the corporate proxy and presented to your server.

Depending on who is managing the proxy, and how its logs are used, this may be acceptable or a bad thing from your perspective.

For more information on how SSL interception is done, see this link:

When the SSL Proxy intercepts an SSL connection, it presents an emulated server certificate to the client browser. The client browser issues a security pop-up to the end-user because the browser does not trust the issuer used by the ProxySG. This pop-up does not occur if the issuer certificate used by SSL Proxy is imported as a trusted root in the client browser's certificate store.

The ProxySG makes all configured certificates available for download via its management console. You can ask end users to download the issuer certificate through Internet Explorer or Firefox and install it as a trusted CA in their browser of choice. This eliminates the certificate popup for emulated certificates...

Some companies get around the certificate pop-up issue mentioned above by deploying the root certificates (of the Proxy) to each workstation via GPO. Although this will only affect software that uses the Microsoft Certificate store. Software such as Firefox and Chrome needs to be updated differently.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • 4
    The point you make about HTTPS proxy (the MITM kind) is correct, but this doesn't have much to do with DNS. If your trusted certificate store is really trusted, DNS attacks shouldn't be an issue for SSL/TLS, since if you're redirected to a fake site, it won't have a certificate issued by one of the CAs you trust (even if it pretends to have the right host name). – Bruno Jul 11 '11 at 18:51
  • @Bruno - I agree that an SSL session is secure if the local PC is secure, and *all* trusted root certs are approved. The weakest link is the weakest trusted root + whatever DNS that is being used. – makerofthings7 Jul 11 '11 at 19:55
  • 2
    if someone is able to put a MITM HTTPS proxy and control the CA certs you have, it implies they control the network on which your machine is connected. At this stage, controlling the DNS resolution is barely relevant, as they'd be able to forge the IP addresses. Certs protect you against DNS spoofing (on the condition that the CA certs are trusted). It's wrong to imply that DNS is an attack vector against SSL: someone who would be able to tamper with your SSL connection and present you with a fake cert would also be able to spoof the IP packets. DNS has nothing to do with this. – Bruno Jul 11 '11 at 22:21
  • @Bruno - Bottom line: The OP should know what the trusted certs in his store are. [Should one CA be compromised, then he is vulnerable to attack,](http://security.stackexchange.com/questions/2268/how)... or like you said perhaps his client is on a managed network. One attack vector is DNS, or a proxy of some type. Besides, I talk about more than just DNS in the above post. He asked about methods of eavesdropping, and I attempted to provide them. You are correct and perhaps I should have phrased it that way. Corporate 'spyware' like Bluecoat operates in a manner he may be interested in. – makerofthings7 Jul 12 '11 at 01:10
  • "Software such as Firefox and Chrome needs to be updated differently." Both of those software's can have certificates deployed via GPO also but the IT administration needs to make special GPO rules to make it happen, so it is not that it can't happen it just takes extra steps on the part of IT. – Scott Chamberlain Mar 26 '14 at 19:58
11

As SSL relies on Certificate-Authorities (CA), and basically any organization can become a CA, man-in-the-middle attacks with fake yet CA-signed certificates are always possible. So while SSL is still a huge improvement over not encryption at all, its security is overrated due to the broken CA system. In that regard, self-signed certificates would be just as secure as any CA-signed certificate, yet browsers mark those as suspicious.

Jörn Zaefferer
  • 507
  • 4
  • 7
  • This is now mitigated by certificate pinnning. Still a problem for first time vists, but it should help. http://security.stackexchange.com/questions/29988/what-is-certificate-pinning – 00500005 Nov 05 '15 at 15:45
10

SSL is very secure, although someone can steal someone's session cookie if you run ANY page over a unencrypted line. If you could I would make the site all-SSL. Or possibly have the cookie only send for encrypted connections and have unsecured public pages not specific to that user.

James T
  • 1,883
  • 1
  • 17
  • 26
9

There is still the possibility of a man-in-the-middle attack, which in your case would be the user connecting to a third party claiming to be your site and then forwarding the request. Of course, a savvy user should notice the lack of an SSL connection or the wrong certificate but most users are not this switched on and get duped by a padlock favicon.

This isn't really an issue with SSL itself, just something to be aware of. You can safely assume that no-one is able to eavesdrop on the SSL connection between your site and the source of the connection. You can't, however, be sure that the source of the connection is really the user.

Magnus
  • 1,194
  • 10
  • 18
  • 1
    Note the OP was marked with webservice, so there would be no browser lockicon. It's up to the client app to explicitly validate, and provide feedback. Or not. – AviD Nov 11 '10 at 22:04
9

Since SSL crypts the transmission, no data can be eavesdropped (since the certificate is trusted).

Altough the problem reside on where (and how much) you are using SSL in your webapp: say, for example, you require an SSL connection only to authenticate your user (to let 'em send they crypted user/pass pairs to your server), then when you send back a cookie you should be aware that it could be easily intercepted (like if your user is on an unprotected wireless connection).

The recent FireSheep drama is all about this.

gbr
  • 2,020
  • 1
  • 17
  • 22
7

No. Traffic analysis can still tell someone a lot.

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic.


TLS is usually deployed to preserve confidentiality -- an attacker should not reach a high level of confidence about the contents of communication.

Assuming,

  1. an attacker knows your protocol,
  2. an attacker knows who is communicating with whom
  3. the attacker cannot decrypt messages.
  4. you do not obscure your real traffic in a lot of nonsense traffic (chaff)

An attacker can probably tell when you are awake and when you are asleep regardless of protocol, and may be able to tell a lot more depending on the nature of the protocol you're using.


If your protocol is very simple:

  1. You send a message "fire the nukes at ..." when you want to fire nukes
  2. You don't send a message when you don't want to fire any nukes.

An eavesdropper who can't decrypt your data can determine by the mere presence of a message that you want to fire nukes, though maybe not at whom.


If your protocol is more complex:

  1. You ask for a book.
  2. I send you the content.

An attacker may not be able to tell who is reading "War and Peace" vs "Atlas Shrugged" but can distinguish, based purely on message size, whether they are reading one of the former vs. Kafka's 55 page novel "The Metamorphosis".

Mike Samuel
  • 3,873
  • 18
  • 25
6

SSL performs two basic tasks: authentication and encryption.

Authentication is done by means of certificate authorities (CAs). Browsers come with a list of SSL certs for for the signing keys of the CAs. CAs sign certificates that describe the public key of an entity. For example, if I owned Google.com, I'd prove that to Verisign and they would sign my certificate for some period of time. Problems crop up with a CA signs a cert they shouldn't sign. This can occur when somebody pretends to own another domain, acquires a wildcard cert that is too broad, or just plain XKCDs the CA into issuing something nefarious (governments, perhaps?). We've seen instances of all of the above happen, but it is pretty rare.

If a cert for a site is properly signed and no fake cert in your trust chain exists, then when you connect to a site you can (for discussion purposes) be confident that the certificate matches. Under normal circumstances, that connection is encrypted. That prevents anybody from reading your data.

SSL certificates are very complex, and a number of attacks exist against SSL implementations. What SSL can effectively do is prevent me from watching your traffic at the local Starbucks when you check your email on GMail. What it can't do is prevent me from using a MITM attack where I relay everything to you without SSL and your client isn't setup to bother you about the fact that never started an encrypted session.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
4

Not counting the various answers by others about other potential issues, assuming you are using SSL 3.0 and strong encryption, it should be secure.

Using older ssl protocols (2.0) or using a weak encryption key could open you up to vulnerabilities.

Doozer Blake
  • 481
  • 5
  • 8
4

SSL generally increases security by providing:

  1. Server Authentication (the user knows they are talking to the 'correct' site)
  2. Data integrity (the user and server know that traffic is not being modified en route)
  3. (optionally, but typically) Data privacy (the user and the server know that traffic is not being intercepted en route)
  4. (optionally, but rare) Client authentication, if the client has a certificate too

There are essentially just two types of SSL certificate, the server certificate (which is always involved) and a client certificate (which is optional).

This is just a sketch, and there are many ifs, ands and buts. In the most typical scenario, browser based SSL, the scheme can broken in many cases without breaking the cryptography or the protocol, but simply by relying on the user to do the wrong thing (i.e. ignore the browser warnings and connects anyhow). Phishing attacks can also work by sending the user to a fake SSL protected site, made up to resemble the real one in all respects but the URL.

Having said that SSL and its cousin TLS are still very useful as they at least allow for secure communication, albeit far from foolproof.

frankodwyer
  • 1,907
  • 12
  • 13
2

When somebody connects with SSL (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over this line, or can it be that there is still eavesdropping?

The weak link in this chain is almost certainly not SSL but the user, who can generally be tricked into connecting to a fake intermediate site either via web spoofing/hyperlink spoofing, or by being presented an invalid certificate and dismissing the browser warning and proceeding to connect anyway.

However the system you describe is best practice anyhow, there's not much else you can do (aside from educate your users to take SSL warnings seriously if you can).

frankodwyer
  • 1,907
  • 12
  • 13
2

When you are not using SSL, all the communication can be easily intercepted - the only thing one need to do that is to launch packet sniffer (i.e. Wireshark).
SSL prevents that, all packets are encrypted so there is no way to know what you are sending out. Basically it is used for protecting passwords and private content from intercepting. You obviously do not want somebody else to read your private emails, right?
As for Google search, they simply did it to hide what people are asking for. This is because some governments are just too curious about it.

How SSL increase security? It does not by itself. What does is a combination of encryption (SSL key) and PKI (Public Key Infrastructure) - mainly Certificates. OK, the question was how. On one side it secures your communication channel (see above), on the other hand it ensures that you are talking to legitimate business - authenticates server. So the channel is secure and trusted.

There are quite a few SSL Certificates, as there are quite a few PKI Services. Basically different service needs different type of SSL Certificate. So there are Certificates for code signing, e-mail encryption and signing, the ones regarding i.e. server authentication, and so on.

Paweł Dyda
  • 171
  • 4
2

Short answer is no. Longer answer: a collection of the answers above plus: If we solve the authentication, hence man-in-the-middle, that with traditional SSL connection someone listening to the traffic could still decrypt it later if they obtained a server secret key (think of NSA and National Security Letters). There is a option in TLS protocol to use Diffie-Hellman protocol to assure link confidentially. See the following picture when I am accessing gmail.com using Chrome. connection security

Look at text RC4_128 with SHA1 for message authentication ECDHE_ECDSA. This reads:

  1. Server offered SSL channel RC4_128b with SHA digest
  2. Inside this tunnel each message is encrypted with Ecliptic curves where key is derived using Diffie-Hellman function, and is signed with Ecliptic Curves cipher using Digital Signature Algorithm

In other words, even if someone has private key of the SSL server, the messages have been encrypted with temporary keys that are discarded from memory soon after use. Good luck NSA!

Bruno Rohée
  • 5,351
  • 28
  • 39
2

@Vladimir is right that http://en.wikipedia.org/wiki/Forward_secrecy is desirable, but has the details wrong. The server chose this ciphersuite from among those offered by the browser. "encrypted with RC4_128 with SHA1 for message authentication" does use RC4 128-bit encryption and HMAC-SHA-1 integrity check. (Ciphersuite names in SSL/TLS until recently say SHA but they mean SHA-1 and actually HMAC-SHA-1.) "ECDHE_ECDSA as the key-exchange mechanism" does not apply to individual messages, it is part (most) of the handshake that occurs once at the beginning of the session: ECDHE uses the Elliptic Curve variant of Diffie-Hellman in Ephemeral mode (plus some additional steps not important here) to create the session keys used for encryption and HMAC; and the ECDHE key exchange (only) is signed by the Elliptic Curve variant of Digital Signature Algorithm. (You can never encrypt anything directly with DH or ECDH, they only do key or other small secret agreement.)

dave_thompson_085
  • 10,064
  • 1
  • 26
  • 29
2

Is it safe for the user, or is it safe for you? Assume a man-in-the-middle attack. The attacker manages to capture the user's traffic, pretends to be you to the user, and pretends to be the user to you. That kind of attack would usually fail, because the certificate given to the user would not be right. For example, the attacker gives the user a self-signed certificate for your website. However, if the user acts stupidly, they may accept that self-signed certificate. So now the attacker can read and modify all the traffic between the user and you, and as far as I know there is no way for you to detect this.

So if the snooping and modification of traffic hurts the user, that's really their own fault and their own problem. And you can't prevent it completely anyway, because the MITM can cut you out completely and just talk to the user pretending to be you. But if snooping and modification of traffic hurts you, then you must trust the user not to be stupid, or better authenticate the user as well (the user would need a certificate, and you can check that in a way that the MITM can't fake).

gnasher729
  • 101
  • 1
1

Even the most modern versions of HTTPS using TLS can easily be intercepted by a MitM (e.g. a Juniper device configured for the purpose) if the client trusts the CA. In that particular case, it's not secure.

multithr3at3d
  • 12,529
  • 3
  • 31
  • 43
user3260912
  • 131
  • 3
  • 1
    If I understand that article right, it relies on installing a certificate. Wireshark can do the same, but it requires access to at least one of the machines you're eavesdropping on. – S.L. Barth Jul 10 '17 at 15:20
  • This doesn't really add anything to the answer by LamonteCristo 6 years ago. – dave_thompson_085 Jul 11 '17 at 02:22
1

I Think people here does not understand the question:

If you have a unsafe line, and you make a successful SSH/SSL Connection over this line, he now ask if its safe to make the assumption that the line is "secure" and that unencrypted data can be passed ALONGSIDE with the encrypted Connection (eg, in plain sight, not inside the encrypted SSL/SSH Connection).

I would say no. In this case, there could be a passive eavesdropper that simply ignores encrypted data and saves unencrypted data.

BUT you can be sure theres no Active eavesdropper (MITM), which means you can safely establish a unauthenticated SSL/SSH Connection with the same source/destination as the authenticated line. This provided theres no selective eavesdropper that MITM certain connectors, BUT however, the eavesdropper cannot know if you going to authenticate the Connection or not, so he cannot know which Connection to MITM to evade detection. The MITMer would, if he MITM, MITM all Connections and hope people click through all authentication dialogs simply.

Thus: If you connect authenticated to a SSL service from lets say 123.123.123.123 to 24.24.24.24, you can also safely connect a SSH client from 123.123.123.123 to 24.24.24.24 without mutually authenticating the SSH fingerprint, provided you can trust everything behind the other side's NAT router or firewall.

But even if thats safe generally meant, there IS a small risk that a eavesdropper simply random MITM Connections and hope for not being detected, so since you already have a authenticated Connection to the target IP, why not use that authenticated Connection to mutually verify the SSH fingerprint? Its simple as posting the correct SSH fingerprint on a SSL secured website!

sebastian nielsen
  • 8,799
  • 1
  • 19
  • 33