Why SSL Sucks

How do you make your Web site secure?  “SSL!” is the immediate response.  It’s a shame that there are so many pain points surrounding using SSL.

  • It slows things down.  On ni.com we bought a hardware SSL accelerator, but in the cloud we can’t do that.
  • Cert management.  Everyone uses loads of VIPs, so you end up needing to get wildcard certs.  But then you have to share them – we’re a big company, and don’t want to give the main wildcard cert out to multiple teams.  And you can’t get extended validation (EV) on wildcard certs.
  • UI issues.  We just tried turning SSL on for our internal wiki.  But anytime there’s any non-https included element – warnings pop up.  If there’s a form field to go to search, which isn’t https, warnings pop up.  Hell, sometimes you follow a link to a non-https page, and warnings pop up.
  • CAs.  We have an internal NI CA and try to have some NI-signed certs, but of course you have to figure out how to get them into every browser in your enterprise.
  • It’s just retardedly complicated.  For putting a cert on Apache, it’s pretty well-worn, but recently I was trying to set up encrypted replication for mySQL and OpenDS and Jesus, doing anything other than the default self signed cert is hell on earth.  “Oh is that in the right format wallet?”

The result is that SSL’s suckiness ends up driving behavior that degrades security.  People know to just “accept the exception” any time they hit a site that complains about an invalid cert.  We have decided to remove SSL from most of our internal wiki and just leave it on the login page to avoid all the UI issues.  We couldn’t secure our replication from a combination of bugs (OpenDS secure replication works, until you restart any server that is – then it’s broken permanently) and the hassle.

In general, there has been little to no usability work put into the cert/encryption area, and that is why still so few people use it.  PGPing your email is only for gearheads. Hell, you have to transform key formats to use PuTTY to log into Amazon servers using SSL.  Stop the madness.

If the world really gave a crap about encryption, then e.g. your public key could be attached to your Facebook profile and people’s mail readers could pull that in automatically to validate signatures, for instance. “Key exchange” isn’t harder than the other kinds of more-convenient information exchange that happen all the time on the Net.   And you could take a standard cert in whatever format your CA gives it to you and feed it into any software in an easy and standard way and have it start encrypting its communication.

Me to world – make it happen!

7 Comments

Filed under Security

7 responses to “Why SSL Sucks

  1. There is going to be a talk about HTTPS and its security flaws by RSnake and Josh Sokol at LASCON (http://lascon.org) which is the same talk given at BlackHat this year.

  2. Mathieu

    FYI, the OpenDS team just delivered version 2.2.1 which fixes the problem you saw (OpenDS secure replication works, until you restart any server that is – then it’s broken permanently).
    See the announcement here : https://opends.dev.java.net/servlets/ReadMsg?list=announce&msgNo=9

  3. Tom

    Hello ErnestM,
    What an interesting post. Do you have any thoughts on reusing the same certs across multiple applications? For example, Func piggybacking on Puppet’s cert management. Do you know of any best practices around this? Thanks a lot. -Tom

    • I don’t know that there’s anything set in stone. It’s similar to passwords – there are reasons to reuse them and reasons not to.

      Absolutely Don’t Reuse
      – when you have to share the cert or password with untrusted persons
      – when they need fundamentally different access
      – when it is dangerous (dev and prod being the same, for instance, creates danger of dev activity accidentally affecting prod)

      Sure, Use The Same One
      – when it’s the same kind of traffic coming from the same place (func and puppet coming from the same server to administer the same batch of servers is a good example)
      – when it’s the same category of sensitivity (all your dev systems)
      – when it’s the same people that need access to it

      Share Sometimes, Judiciously
      – anywhere in between.

  4. Bruce Friend

    Hello Ernest,

    I’m working on setting up multiple OpenDS servers located in geographicly seperate locations. They need to replicate and also need to have a hostname in common for load balancing and failover. Do you know if there is any issue with using the same cert on all of the servers. I would do this for Apache, but in this case OpenDS is using the cert for the replication. I’m seeing something about keymapping and certificate mapping but it is not very clear how it all works. Like you said, “SSL sucks!”

    • Also make sure you’re on the newest version of OpenDS because on old ones, ssl encrypted replication didn’t work and messed up your installation for good.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s