Even though SSL technology has been in use for over two decades, it still pops up in the news every few months—usually when a security breach occurs and private information is leaked to unauthorized parties.
High profile security incidents often make headlines around the world and have caused misinformed debates over the security of SSL. Understanding how security affects you is key to ensuring that your data remains safe online.
However, the cryptography behind SSL continues to be very robust and has changed over the years to match advances in computing technology. In most instances, an attacker intercepting a communication and trying to use brute-force to decrypt it would simply be wasting their time.
As detailed in “The Math behind Estimations to Break a 2048-bit Certificate”, it would take a normal computer over 6.4 quadrillion years to break the encryption that secures DigiCert’s 2048-bit SSL Certificates. Even if they had (likely impossible) access to millions of the world's most powerful computers, consider the time it would take before the encrypted data could be decrypted.
Recent exploits were not flaws in the encryption; rather, they allowed attackers to bypass the encryption through faults in either the security implementation or the personnel practices of those using the technology.
In May, eBay announced that hackers breached some of their staff accounts. The breach allowed direct access to a database with names, addresses, phone numbers, dates of birth, and encrypted passwords.
While eBay encouraged everyone to change their passwords, the personal information that was exposed opens their customers to the possibility of not only phishing scams, but also potential identity theft. Luckily, there is no evidence that hackers were able to decrypt the passwords found in the database and customer financial information is stored on a separate server and was not compromised.
The Heartbleed bug, which has also recently been in the news, is another example of an exploit that bypassed encryption. Heartbleed is a bug in some versions of OpenSSL (used by roughly 17% of SSL web servers to encrypt information) that affected half a million widely-trusted websites.
The Heartbleed bug allowed attackers to read information directly from the server's memory, compromise secret keys used to encrypt data, and steal various types of content from the server, such as unencrypted usernames and passwords.
As soon as the bug was discovered, OpenSSL was patched to remove the vulnerability; however, by the time most affected web servers had updated their OpenSSL software, some high-profile breaches had possibly occurred.
If a website or server is compromised and user information is leaked, consumer confidence in the business is undermined, existing customers may cease doing business with the site, and potential customers to avoid signing up for it altogether.
Even if only a small amount of user accounts are affected, the resulting bad press for a business could mean millions of dollars in lost potential revenue. Additional costs could include hiring outside IT staff to secure the breach on short notice, as well as PR experts to counter all the resulting negativity about the company. Further, the breaches could necessitate the purchase of identity protection and fraud monitoring services. In the end, bad security can be extremely costly for any business.
Both consumers and business owners need to understand that SSL is a proven technology that has secured millions of websites over the years. And, as with any technology, it can be compromised by incorrect implementation or improper security practices.
Businesses should prevent breaches before they occur by working with an experienced security vendor (like DigiCert) to make sure they are implementing security best practices and actively monitoring their current security measures.