In the time it takes you to read this sentence, Americans are spending somewhere between $50,000 and $100,000 on retail online. In those mere seconds of time, few thought twice about sharing their credit card numbers with Amazon, or banking routing numbers with PayPal or social security numbers with their banks. We have the Secure Socket Layer (SSL) to thank for that.
This holiday season, we at CyLab wanted to add a little extra spark of joy by highlighting the unsung hero of online shopping (or any secure online communications scenario), the Secure Socket Layer or SSL.
CyLab’s Bryan Parno, an associate professor in the Department of Electrical and Computer Engineering and the Computer Science Department, spends his time every day researching ways to further improve the security of the modern version of SSL, known as Transport Layer Security (TLS).
What is SSL? What was its original intended purpose?
Parno: SSL stands for Secure Socket Layer, and it was originally developed by Netscape. In 1999, it was turned into a general standard and renamed TLS or Transport Layer Security. Fundamentally, it is designed to establish a secure channel between two communicating parties (e.g., you and your bank). A secure channel means that the messages remain secret and that they aren’t tampered with while they’re in transit. TLS also provides authentication, meaning that you know who it is you’re communicating with, so that you can tell if you’re talking to your bank or someone pretending to be your bank.
In general, cybersecurity is often branded as "avoiding the negative." But when people talk about SSL or TLS, they say it’s a cybersecurity innovation that enables people to do things they could never do before, which is a little different from "avoiding the negative." Do you agree?
Parno: TLS, and the technologies it relies on like public key cryptography and public key infrastructures (PKIs), are incredible innovations. They allow you to communicate securely with anyone in the world, even if you’ve never met them in person before, and even if incredibly sophisticated attackers can see and choose to alter every message you exchange. Without this core building block, much of the Internet as we know it would not be possible, as it would simply be too insecure to consider many activities we take for granted today.
Is SSL still in use today? Or has it evolved into something different altogether?
Parno: These days, almost everyone uses TLS, which is the more modern version of SSL. The standard that defines the TLS protocol continues to evolve to be more secure and more efficient, but the goals and many of the basic techniques are still roughly the same.
In what ways is TLS *not* secure? What are its weaknesses?
Parno: TLS is a protocol, i.e., a way for two pieces of software (e.g., your browser and a web server) to communicate. If that software is insecure, then the protocol can’t do much on its own. For example, if an attacker finds a bug in a web server, he can see all of the traffic you exchange with the server before it is protected by TLS. Similarly, if your computer is infected with malware, then the malware can see everything happening on your computer, including messages you send to the web server. TLS won’t protect you from that.
TLS will tell you who you are communicating with, but it relies on the human at the other end to determine if that’s who they intend to communicate with. For example, an attacker might convince you to connect to g00gle.com, and TLS will faithfully report that you now have a secure connection with g00gle.com. It’s up to the user to realize that those are zeros, not ‘O’s, and hence this is probably not the site they want to visit.
Historically, many of the earlier versions of TLS contained flaws that could allow an attacker to circumvent the security TLS is supposed to provide. The latest version of TLS, which is nearly finalized, has received extensive scrutiny, including formal mathematical verification efforts from my team and others, so we expect it to be the most secure version yet.
What would modern-day online shopping look like *without* TLS?
Parno: It’s hard to imagine modern online shopping without a protocol like TLS. If you can’t communicate securely with the shopping site, then all of the information you send or receive could be intercepted along the way. That means your username and password, the items you look at, your credit card information, everything. It’s hard to imagine people shopping online under such conditions.
What do you think the Internet would look like today without TLS?
Parno: TLS is used in every HTTPS site you visit. Every time you login to a website, it should be using TLS to protect your username and password information. When you bank online, check your medical records, pay bills, or check your stock portfolio, you’re relying on the protections provided by TLS.
Lastly, do you have any simple tips for consumers on how to keep their data safe when shopping online this year?
Parno: Generally it’s safer to use a computer you own in a trusted location, e.g., your laptop at home, rather than an Internet kiosk at the airport. Look for the lock icon and HTTPS URL in the bar at the top of your web browser. Often searching for the site you want to visit on a trusted search engine can be a more reliable way of reaching your destination than typing it in directly yourself.