The S in HTTPS
Have no fear and secure using the “s” in “https”
So DuckDuckGo referenced this cool SSL Poem by Amber Wilson and I thought I’d share a few thoughts on SSL. And admittedly I think Amber does a better job than DuckDuckGo although how much security info can you share in a Tweet (yes calling you out Twitter :)).
SSL does increase security whereas without using any encryption or surfing the web with non-SSL/http:// then all data transferred is in the clear and open for interception on your LAN, and at any routing point in between your destination. By encrypting your data with SSL you have some “reasonable” belief that your data has not bee compromised.
However, as the poem goes on to explain, SSL is not without its flaws (eg. heartbleed which was probably exploited in the wild well before the public knew and allowed attackers to read encrypted SSL communication). There are also various man in the middle attacks that companies use on their LANs to sniff employee traffic. It’s also possible to decrypt communications if the destination server has been compromised and an attacker has the key (something that happens more than you think).
If you think attackers couldn’t find a way to sidestep such encryption here’s a great article from 2015 explaining how the NSA exploited a weakness in the DH exchange protocol to do just that
So in a practical sense we could compare this to “locking your doors and windows” is your house really secure? Maybe but not really unless you have taken additional steps to make sure you don’t doors and windows that are easy to break into or if there are backdoors/master keys etc… that come into play.
What do you think?
Cheers!
A. Yasir