Thursday, October 8, 2009

Report Confirms - SSL Largely Misunderstood

[All quotes from Dark Reading Story]

Interesting statistics on users, info sec users, and SSL from Tyler Reguly's research discussed at the SecTor Conference.

Regarding average web users:
Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords.
I'm not terribly surprised here. Most users are aware of the threat of "identity thieves" and have associated SSL with protecting their credit card. I don't believe that users think through the whole process. If the attacker steals your password, then they become you and can get any information provided by the app.

Want to get an even lower percentage response? Test to see how many users consider SSL an important factor after they've logged in (e.g. after login page, but not a page which accepts credit card data). My guess is none of them will care. That's because very few average users have any concept of the risk of session ID exposure. Many popular sites operate this way - facebook, linkedin etc.

Regarding information security professionals:
More than half of the respondents don't know what Extended Validation SSL (EVSSL) is and how it differs from SSL, while 36 percent say they do.
This is not good. Security professionals need to get on the ball here. EVSSL is especially important to understand. Because, although the extra verification of the owner is good, it is not a silver bullet by any means. There are numerous other ways a site can mess up SSL - even with an EVSSL cert. (Since the EV part is the manual verification of the company's identity and has nothing to do with the technical implementation of SSL itself)
Even so, nearly one-third say the only purpose of SSL is to encrypt their traffic so it can't be sniffed.
This is a common misconception. Remember, SSL offers end-point authentication, confidentiality, replay attack protection, and built in integrity checking.
Meanwhile, 51 percent of the survey respondents said they rely on browser error messages to alert them of flaws in Website security
That's just not good. I hope that percentage is based on the average user and not an info sec community poll. On the other hand, I think it is fair to judge that a site has poor security if they can't even get the SSL portion right. Just don't think the inverse. SSL is just one piece of a large pie.

-Michael Coates