Problems with HTTPS and SSL folks are not talking about

HTTPS and SSL are the protocols used to secure the web. In fact, HTTPS uses SSL to get things done. The whole idea with these protocols is to make sure no one can eavesdrop on important data traveling over the web. However, things are not as they seem, because, in truth, SSL is a muddle.

Don’t get it twisted, for that doesn’t mean the SSL and HTTPS encryptions are useless to users on the web. They have their problems, but both are much better than HTTP in every way possible.

Problems with HTTPS and SSL

Problems with HTTPS and SSL

Let’s point out a few problems with HTTPS and SSL

Man in the middle attacks

For some odd reason, Man in the Middle attacks are still possible with SSL. The concept is simple; users should be able to connect to their bank’s website over public Wi-Fi because the connection is secure, henceforth, attackers shouldn’t find the means to slip through.

An attack through this form could redirect the user to an HTTP website that looks similar to a secured one, and from there, the attackers would have terminals set up in hopes of stealing valuable information.

Too many certificate authorities

Your web browser has a list of certificate authorities built-in. All web browsers only trust certificates issued by the ones built-in. Should users visit a website secured using SSL, it would issue a certificate, and the web browser will proceed to check if the website to make sure the certificate was designed to come from that particular page.

Here’s the thing, because there are so many certificate authorities, problems with a single certificate could affect all. That’s never good, and so far, there’s not much webmasters can do about it.

Certificate authorities issuing fake certificates

Unbelievably, fake certificates are out there and causing problems for web users. And even Google and other companies have fallen prey to it in the past.

The government or others had the ability to use this rogue certificate to impersonate the official Google page, which would make it possible to perform a Man in the Middle attack. In its defense, ANSSI claimed the certificate was created to spy on its own users, and as such, the French government had no access to it.

Some certificates have downright failed at times

According to studies done in the past, some certificate authorities have failed when delivering certificates. This means, some websites might not require a certificate, but the authority delivers it anyway. If this is being done on a regular basis, then one can only image what other mistakes have been made and are still being made.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category General with Tags
Vamien McKalin possesses the awesome power of walking on water like a boss. He's also a person who enjoys writing about technology, comics, video games, and anything related to the geek world.

6 Comments

  1. ReadandShare

    This is how I access my email and bank when traveling:

    1. I use only my own device (assume no virus or keylogger)
    2. I sign up on public Wifi (hotel, etc.) with or without password
    3. I log into my bank / email accounts using the bank or GMail’s own android apps – instead of browser

    The assumption is that GMail and my bank’s apps will enforce SSL connection – so anyone attempting to eavesdrop will get only gibberish. Correct?

  2. Lately I’ve adopted the policy that if I have to use a wifi network that I don’t have control over, I utilize a VPN connection.

  3. Sir_Brizz

    This article is really poorly researched. It also doesn’t go into enough detail about the process.

    Any CA that issues fake certificates will get reprimanded. Symantec just got slapped by Google for misissuing certificates. CAs have hefty auditing requirements.

    Your last point makes no sense.

  4. Isaac Parker

    I’m not sure how any of this is all that relevant. HTTPS and SSL (TLS, really) don’t make direct attempts to stop phishing, which is what’s actually being described in the first section. HTTPS EV (Extended Validation) certificates are designed to help ensure you’re talking to who you think you are, which could help reduce phishing effectiveness, but I’ve got my doubts.

  5. Adam Williams

    Completely agreed, the complaints about MitM attacks are completely incorrect. Is the author trying to being up attacks such as sslstrip? If so, this is exactly what HSTS is for! And even if HSTS isn’t deployed, most browsers will cache the HTTP -> HTTPS redirect and never actually make the request.

    I don’t understand the last point, nor do I understand what “Here’s the thing, because there are so many certificate authorities, problems with a single certificate could affect all.” is supposed to mean. Each CA has their own autonomy and a misissuance doesn’t impact other CAs at all.

    Pretty awful article, all things said.

  6. Jonathan Hilgeman

    Maybe I’m missing something but the last section doesn’t make any sense to me. It vaguely SOUNDS like you’re referring to CAs like LetsEncrypt improperly issues certificates to the wrong people, but the rest of that section doesn’t click with that idea.

    Regarding MITM, there are several legitimate ways for this to happen (e.g. trusted internal proxy) but you’re obviously referring to illegitimate means. HTTPS will issue a warning if you’re redirected to a site that uses a cert from an untrusted CA, so you might want to elaborate on your point.

    As a whole, this article doesn’t seem well-informed.

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + 9 =