HTTPS and SSL are the protocols used to secure the web. In fact, HTTPS uses SSL to get things done. The whole idea with these protocols is to make sure no one can eavesdrop on important data traveling over the web. However, things are not as they seem, because, in truth, SSL is a muddle.
Don’t get it twisted, for that doesn’t mean the SSL and HTTPS encryptions are useless to users on the web. They have their problems, but both are much better than HTTP in every way possible.
Problems with HTTPS and SSL
Let’s point out a few problems with HTTPS and SSL
Man in the middle attacks
For some odd reason, Man in the Middle attacks are still possible with SSL. The concept is simple; users should be able to connect to their bank’s website over public Wi-Fi because the connection is secure, henceforth, attackers shouldn’t find the means to slip through.
An attack through this form could redirect the user to an HTTP website that looks similar to a secured one, and from there, the attackers would have terminals set up in hopes of stealing valuable information.
Too many certificate authorities
Your web browser has a list of certificate authorities built-in. All web browsers only trust certificates issued by the ones built-in. Should users visit a website secured using SSL, it would issue a certificate, and the web browser will proceed to check if the website to make sure the certificate was designed to come from that particular page.
Here’s the thing, because there are so many certificate authorities, problems with a single certificate could affect all. That’s never good, and so far, there’s not much webmasters can do about it.
Certificate authorities issuing fake certificates
Unbelievably, fake certificates are out there and causing problems for web users. And even Google and other companies have fallen prey to it in the past.
The government or others had the ability to use this rogue certificate to impersonate the official Google page, which would make it possible to perform a Man in the Middle attack. In its defense, ANSSI claimed the certificate was created to spy on its own users, and as such, the French government had no access to it.
Some certificates have downright failed at times
According to studies done in the past, some certificate authorities have failed when delivering certificates. This means, some websites might not require a certificate, but the authority delivers it anyway. If this is being done on a regular basis, then one can only image what other mistakes have been made and are still being made.
- Tags: Misc