While we’ve all be told for years to look for the padlock and https at the beginning of a web address in our browsers we’re not ever told that the technology used to secure that connection varies wildly from site to site and it should concern both consumer and businesses. So what is that padlock you might wonder? Well it’s SSL or secure socket layer, an security technology designed in the 90’s the latest and greatest isn’t even called SSL but is TLS or Transport Layer Security. A massive strength in the design of this technology is that because it’s reliant on both the client and the server being compatible it allows for fall back to older versions should the newer version be unavailable on either system unfortunately; this is also its undoing.
Because vast swathes of internet users and businesses don’t renew or update their computers at the regularity of the introduction of these new systems (or mistakes made in Windows, I’ll get on to that later) many servers on the internet and many browsers on home and business computers will quite happily communicate with inadequate security while telling the user they are ‘secure’.
What’s more concerning is that this includes some of the top High Street Banks online banking services. For example, Santander support RC4 a Cipher contained in versions of SSL and TLS that has multiple vulnerabilities as well as uses weak key exchanges that were shown to be vulnerable in a ‘LogJam attack’. If you are to use this website with an older browser, then you are putting your data at great risk. If you are a Business owner running old servers that support these older protocols and ciphers, then you are putting both your customers and your business on great risk.
But it isn’t all just SSL, next year sees the end of support for SSL certificates using SHA-1, the technology used as a means of preventing domain identify being spoofed. SSL certificates are the final piece of good online security and one that even the biggest companies slip up on such as Apple forgetting to renew the one for their App store.
So what can be done? The first step is the easiest, upgrade your web browser now the website browser-update.org is a great resource and for businesses with websites you can include some java code that they supply for free to remind your customers about keeping up to date. If you run a website that requires strong encryption to protect customer details, then you or your IT department should be updating with all of the latest fixes as well as performing server hardening to ensure the best security possible.
Of course many businesses run older browsers for compatibility reasons with their internal software or intranet and in a world that still uses Windows 7 as a primary business operating system there is something you should know. All versions of Internet Explorer before version 11 do not support TLS 1.1 or 1.2 and it is typical in large enterprises to still be using IE8. MSDN has a fantastic article on enabling new versions of TLS.
So finally you be wondering why do any encryption systems become obsolete? It’s really quite simple, encryption is based on complex mathematics which would take modern computer hundreds of years to decipher and while unfortunately the computer industry has become quite adept at making faster and faster processors which can eventually decipher the complex algorithms used to encrypt data at a faster rate. Which means stronger encryption will be required and that’s exactly what’s happening. As of October 2015 TLS version 1.3 was released as a working draft, this means that the standard isn’t finalised but is working so you won’t see just yet but we will all be using it soon.
So if I’ve left you considering the high street to shop, fear not. The good news is there are plenty of websites online that really know their security for example one of the most well protected websites on the internet was Amazon a shop I know I use regularly and I’m sure you do too. Even better if you have any doubts over the security of a website there are some great tools available like SSLlabs tester, you can punch in any domain and it will give you a score, for reference Amazon score an A- while my earlier example of Santander scored a C. From here it’s up to you as a customer you should be keeping your browser up to date and as business you should be responsible in looking after your customer’s security.