Ssl Weakness
The current state of authenticity in SSL is questionable and deleterious to the security of SSL as a whole. SSL, even with the most current updates, suffers a great deal of weaknesses that had been highlighted over the years. Some of the most prominent issues are: certificate and configuration issues, protocol attacks, application-level issues, and PKI trust issues.
As reported in the RSA conference in Europe back in 2011, SSL certificates issues encompass insufficient domain name coverage, weak private keys and certificate chain issues. According to a paper presented at the RSA conference, as of 2011, 61.40% of SSL certificates do not support the main domain name properly due to the lack of apex support (e.g. some sites only register a certificate for a common domain name like “samplesite.com” but do not have a certificate registered for “www.samplesite.com”). It had also been noted that out of 1,157,062 certificates observed, a staggering 50% of them contain keys that is 1024-bits or less. It is very well known that with current computing technology, anyone can break 512-bit RSA keys; even 1024-bit keys should be slowly phased out.
Furthermore, on September 2011, two information technology security researchers came forth announcing that they had successfully extended a previously known vulnerability in SSL v.3 (or TLS v.1.0) into an eavesdropping attack against some applications. The detailed release of the announcement and attack pushed all of the major web servers and client vendors into a state of panic in order to provide the necessary patches to address the disclosed vulnerabilities; however, the progress made has been painstakingly slow due to compatibility complications between web application servers and web clients. Over a year after the disclosure of the attack, at the time of this writing, major commercial sites were still being observed to use TLS v. 1.0 (e.g. Bank of America, Navy Federal Credit Union, Capital One Bank, etc.). Yet, while
As reported in the RSA conference in Europe back in 2011, SSL certificates issues encompass insufficient domain name coverage, weak private keys and certificate chain issues. According to a paper presented at the RSA conference, as of 2011, 61.40% of SSL certificates do not support the main domain name properly due to the lack of apex support (e.g. some sites only register a certificate for a common domain name like “samplesite.com” but do not have a certificate registered for “www.samplesite.com”). It had also been noted that out of 1,157,062 certificates observed, a staggering 50% of them contain keys that is 1024-bits or less. It is very well known that with current computing technology, anyone can break 512-bit RSA keys; even 1024-bit keys should be slowly phased out.
Furthermore, on September 2011, two information technology security researchers came forth announcing that they had successfully extended a previously known vulnerability in SSL v.3 (or TLS v.1.0) into an eavesdropping attack against some applications. The detailed release of the announcement and attack pushed all of the major web servers and client vendors into a state of panic in order to provide the necessary patches to address the disclosed vulnerabilities; however, the progress made has been painstakingly slow due to compatibility complications between web application servers and web clients. Over a year after the disclosure of the attack, at the time of this writing, major commercial sites were still being observed to use TLS v. 1.0 (e.g. Bank of America, Navy Federal Credit Union, Capital One Bank, etc.). Yet, while