(Unencrypted) site security confirmed!
SSL vendors still equate encryption with “security”. Forget about hardening your e-commerce server. Don’t bother encrypting data at rest. According to the ads from SSL vendors, all you need is their 128-bit SSL certificate (preferably the new EV SSL variety) … and to pay the annual fee.
VPN and other crypto product vendors do the same. They get away with this because to many people, crypto is still magical security dust.
But wait! Did you know you only have to buy the dust SSL certificate, not actually sprinkle it around install it on the server? Magic indeed!
I learned this recently when someone asked me to check out a little online store. They were about to make a purchase then noticed the credit card entry page began with “http://” and the SSL padlock icon was missing.
Not uncommon. Many mom-and-pop sites try to skip the cost of SSL certificates hoping customers either won’t notice or won’t mind. However, what was confusing about this unencrypted storefront was that it sported a large “Verified by GeoTrust” button.
You’ve seen these and similar assurance stickers from other SSL vendors (check out Geotrust’s front page for a live example). Clicking the button pops up a window showing the http URL, company name and the reassuring words “Site Security Confirmed”.
Now, it’s technically possible for a form to originate from an unencrypted URL then submit the data to an SSL URL. However, a quick look at the HTML of this order form revealed the “action=” went to the same unencrypted URL and there was javascript or other tricks involved… the form really was sending card numbers and other private info entirely in the clear. So how could this be “Security Confirmed”?
A technical person might expect an SSL verification function to check the http_referer to determine the originating site, verify the URL began with “https://”, then retrieve the certificate from the server, verify that it’s subject Common Name matches the URL and has not expired or been revoked. More thorough checks might include some simple automated auditing and portscans of the server, like “Hacker Safe“.
Too technical, it seems. It appears all this SSL vendor’s verification button does is:
- Checks that the button is being displayed on the web site it says it is (using good old unspoofable DNS, of course).
- Verify an SSL certificate has been sold to the web site and has not expired or been revoked.
The result is a site can be unencrypted and still have “site security confirmed”. I guess this means SSL is no longer “security dust”… it’s graduated to “security talisman”. Just possessing an SSL certificate is enough. No need to actually use it.
When we notified the site owners that their order-taking page was unencrypted, they argued that we were mistaken… previous customers had reported the same thing but the Geotrust button “confirmed everything was okay”.
It took some effort to convince them the button was lying. Later it turned out the site did have a valid certificate installed and ready to use, but their web developer had screwed up and used “http” instead of “https” in the shopping cart app and related URLs. A quick search and replace fixed the issue.
Having the Geotrust button actually reduced the security of this site. The owners trusted what the button said over the tell-tale lack of SSL indicators in their web browser. Probably many customers did the same: noticed the missing SSL then placed orders anyway after being reassured by the button. The situation could have gone on for years.
But what do you want for nothing? The verification button is provided free, right? Actually no… businesses must pay the SSL vendor extra to be able to use it on their sites.
Related posts:
Tags: authentication, DNS, encryption, marketing, phishing, ssl, vulnerabilities, web security