The Glossary: What The Heck is SSL?
Welcome to The Glossary, a new content series that unpacks those unfamiliar terms and concepts that pop up in the news from time to time. In addition to a basic breakdown of the subject, we engage authorities in a Q&A about what this news means for Internet entrepreneurs big and small.
Over the past couple months, one could argue that the biggest stories on the Internet concerned its security (or lack thereof). Target CEO Gregg Steinhafel resigned in the wake of the massive data breach that rocked the retail store chain last year, and websites ranging from Typepad to Feedly have been knocked out by distributed denial of service (DDoS) attacks.
But by far the biggest story of this kind involved Heartbleed, a vulnerability in the security protocol SSL that prompted Internet users around the world to change their passwords en masse. The Heartbleed bug has since been corrected, but when a fresh array of SSL bugs were discovered at the beginning of June, it raised a whole host of new questions:
Is it naïve to assume that our data will ever be secure online? How can we protect ourselves?
And, for more than a few of us:
Can someone please explain SSL for me again?
We’ve got you covered. We asked Emmanuel Schalit, the CEO of password security company Dashlane, and Darien Kindlund, the director of threat research at web security firm FireEye, some questions about the state of our web security, and what it means for entrepreneurs.
What It Is:
SSL, which stands for Secure Sockets Layer, is the standard security technology used to ensure the information traveling between an individual’s web browser and a server remains secure. Virtually every kind of private information transmitted across the Internet — from emails to credit card transactions — is transmitted using SSL. Though there are variants on the SSL protocol, some form of it is in place on more than two thirds of all web servers.
How It Works:
When your web browser attempts to connect to a web site via a server, the browser asks to see the server’s certificate of authenticity. That certificate, which website owners apply for from SSL Certification Authorities, essentially verifies that certain key information about the site is true. Once the browser verifies that the certificate is valid, it allows information to be transmitted securely and continuously, meaning that third parties can’t see or tamper with it.
Questions
IW: Earlier this week, another OpenSSL bug was exposed, and it touched off another surge of hand-wringing and alarmist articles, even though it was, comparatively speaking, a much more minor problem. Do you think this heightened awareness of Internet security is here to stay?
Emmanuel Schalit, Dashlane: There has undoubtedly been a sharp increase in online security matter following Heartbleed. Unfortunately, this has also led to a “calm-after-the-storm” effect whereby every incident that has followed hasn’t been as serious, and thus, hasn’t received the same attention. While less people were exposed with the recent OpenSSL bug, it was by no means a less serious matter as the potential consequences for affected users is just as grave as those are for Heartbleed.
Darien Kindlund, FireEye: We think the Heartbleed vulnerability has kick-started increased scrutiny around the code quality of various open-source libraries that are fundamental to the security fabric of the Internet. Although painful, we see this as a good thing, because these vulnerabilities were always present — it’s just that now people are motivated to find them and fix them before they become part of in-the-wild attacks.
IW: As the security of our information becomes something that the public is increasingly aware of and concerned about, what are some of the biggest opportunities an entrepreneur might seize on in this climate?
Schalit: The first step any entrepreneur should take is to make sure they are following the best security practices, regardless of where their business interests lie.
Kindlund: Increased awareness of security and privacy issues within the public means that entrepreneurs will have an easier time justifying and marketing their product’s capabilities that cater towards security/privacy, overall. The public is demanding a balance of usability and security, as they are starting topay for better security architectures. This means that savvy entrepreneurs could bring to market a product that might not be as usable as its competitors, but market distinct security capabilities, which can help differentiate it and ultimately demonstrate unique value to the public.
IW: An editorial in Wired called these recent server-side issues an “infrastructure” problem, something that cannot be fixed in a matter of days or hours. What do you think the prospects are for disrupting or addressing these core characteristics of the Internet to make it safer?
Schalit: The Internet has developed into an apparatus whereby users demand convenience and speed and our core mission at Dashlane is to make identity security simple and universal. We understand that if security measures become too burdensome to the user experience then they will not be widely adopted and are providing a product that takes this into account.
Kindlund: While secure infrastructure is a key component to this problem, it is not the only factor. One of the classic models for dealing with this problem is to never have a homogenous environment. Instead, adopt a heterogenous set of systems. Traditionally, this has meant using combinations of Windows, Linux, and other operating systems for your servers, with the idea that a vulnerability in one of those systems will be less likely applicable to the other environments. That said, this theory breaks when common fabric libraries (e.g., OpenSSL) are used across all of these systems. Heterogenous models only work effectively, when there is very little code reuse across the different systems (meaning: OpenSSL can’t be used across all systems). Unfortunately, this model creates compounding problems, when it comes to operational/maintenance costs, which usually outweigh the risk of adopting a homogenous environment.
That said, the overall damage of Heartbleed may be enough to warrant some to consider adopting a pure heterogeneous model in the future.
IW: A large percentage of our readers are entrepreneurs and people working at small to medium sized businesses. What steps can they take to ensure they are taking the utmost care of its customers’ accounts and information?
Shalit: Businesses should first make sure they have implemented the necessary security fixes to patch the latest SSL flaws. Additionally, they can take implement the following simple password policies to ensure they are following industry-standard security practices: Minimum password length of 8 characters; alphanumeric and case-sensitive passwords; email confirmations for password changes; no accepting the 10 worst passwords on the web; no logins allowed after 10 incorrect password tries.
Our latest Q2 Security Roundup provides additional easy steps online businesses can take to protect their customer’s information.
Kindlund: Develop operational plans/measures to better prepare for when these types of incidents occur. Of course, it’s best to make sure it never happens, but having a fail-safe plan in place will help in the eventuality these types of incidents occur.
By Max Willens
