tags:

views:

1180

answers:

9
+9  Q: 

How secure is SSL?

I am just wondering, how secure is SSL? As in, how much will it take to crack a password sent though SSL?

+14  A: 

Assuming everything is setup/secured properly and we're talking about 128-bit keys, significantly longer than the age of the universe.

I would note that previous cracks in SSL relied on "hole" in MD5, which caused some the method of validation to change..

I would also note, this doesn't free you from man-in-the-middle attacks, or even someone hijacking the private cert of the target company (note that private keys should be protected via a strong password though to mitigate such a risk and then the key revoked if such an event occurs). Read a high level overview on how SSL works here.

altCognito  2009-06-04 15:51:34
Onething I've wondered: in the case of a long-lasting connection (Web Service, not Web Page), could an attacker use his knowledge of the fact that certain text like "soap" is likely present in order to break the encryption more quickly? Also, does it help the hacker to know that the payload is likely to be XML? Could he assume equal numbers of "<" and ">" and keep watching to see how those are encrypted?
John Saunders  2009-06-04 15:59:41
how is a man in the middle attack executed, and how can I prevent it from happening?
Malfist  2009-06-04 15:59:56
@John Saunders, not really. Modern Encryption uses the output from the previous encryption block to feed the next block. So if "<" translated to x the first time, next time it might be y and the x and then z...you get the point.
Malfist  2009-06-04 16:04:00
John - See http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 for a visualisation of what I think you're getting at, and further down the page for the ways to combat this.
frou  2009-06-04 16:04:16
@Malfist: Thanks. And no benefit at all to the hacker if he can watch the SSL connection for a long time? The question has come up in terms of SSL maybe being more useful for securing a web site than for securing a web service, since the connection may very well remain open for weeks.
John Saunders  2009-06-04 16:05:47
@John Saunders, according to the link in altCongnito's post, secure websites regenerate the key's every few minutes to prevent the eavesdropper from getting enough data to analyze. http://www.reppep.com/~pepper/ssl/ssl1.text
Malfist  2009-06-04 16:10:32
Ssl uses a few things to protect you from man-in-the middle. DNS, you type amazon.com - you expect to get a server on an IP owned by amazon.com. Plus your browser has a list of trusted CAs (verisign, thawte, etc). Amazon will serve down a certificate signed by a trusted CA. An attacker wouldn't be able to fake a cert signed by your list of CAs. If your DNS and trusted CAs are compromised (DNS on a public wifi, someone tricking you into installing a dud CA) then man-in-the-middle is possible. http://tinisles.blogspot.com/2006/10/ssl-man-in-middle.html
russau  2009-07-28 03:40:06
+3  A: 

From the mathematical standpoint, assuming you have a proper implementation and ignoring the possibility of currently unknown side-channel attacks, or currently unknown mathematical vulnerabilities, it should take vastly longer than the age of the universe to brute force a private key.

However, side-channel attacks and other forms of attacks against the implementation are very real and need to be taken seriously. That includes things like man in the middle attacks, lousy SSL cert authorities, physical attacks to the host, etc.

whatsisname  2009-06-04 15:52:57
What 'side-channel' attacks are you talking about, and how can I protect myself from them?
Malfist  2009-06-04 16:11:07
http://en.wikipedia.org/wiki/Side-channel_attack
jkf  2009-06-04 16:26:26
+2  A: 

Depends on the key length, the algorithm and the server farm to decrypt it.

seb  2009-06-04 15:54:01
+2  A: 

Well, SSL v2 had some flaws, SSL v3 is quite secure. The time would depend on the certificate key length, and how fast are you able to decipher SHA-1 with RSA Encryption.

Quite secure I would say :)

Pere Villega  2009-06-04 15:55:12
A: 

till some bright spark sees a hole.

We thought that ssl was secure till the end of time - sorry altCognito => then recently some realised that md5 can be insecure.

Your only as secure as the crypto used to secure it and just because its is considered computational hard ie takes along time to brute force that doesnt factor for innvovation see the ps3 link.

Remember this is always thought about by humans, implemented by humans then run by computers.

Can you see the 2 issues there?

Also recently

http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html

and for a discussion on SSL3 read the experts - http://www.schneier.com/paper-ssl.html

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212700234

 2009-06-04 15:58:46
I'll assume you wrote this shortly before I tacked in the bit about md5. But it's true, about the bright sparks.
altCognito  2009-06-04 16:00:32
This is NOT a hack on SSL in the sense that secure data can now be seen. The MD5 collision issue which allowed these guys to generate a root cert is, of course, significant...but it's not in any way an attack on SSL in the sense the OP is asking about.
DarkSquid  2009-06-04 16:01:07
A: 

Provided what "we" know about certain crypto fundamentals is correct (e.g., that it's Very Difficult to factor very large numbers), modern SSL is way secure.

The realistic threat ain't that somebody is going to crack SSL -- it's a much better bet that some other way of getting at the interesting data will be found.

DarkSquid  2009-06-04 15:59:09
A: 

You mentioned "send a password" trough SSL.

Maybe the question here is how do you

  1. Protect the passwords (are the stored as hash, plaintext etc)
  2. Rate limit the login attempts (e.g. if you allow max 1 per second brute force from external sources will take a very long time)
  3. An important thing about SSL: Where and how is your private key stored (encrypted on disk, inside special non readable hardware)?

Because an often overlooked fact is that the threats from local attacks might be much higher than an attack at the cipher level.

E.g. if someone breaks into your server and obtains the private key (worst case if it is unencrypted on the disk) - with the private key it then might be possible to decrypt stored communications depending on the key exchange mechanism used.

Also as soon as someone obtains your private key it is easy to setup a server which seems to the user as there original server because it has the correct certificate.

So I guess the security of established protocols shouldn't be the first point to worry about.

Fionn  2009-06-04 16:16:04
I'm worried about sniffers on the network, transmitting a password, encrypted or not is subject to capture. I want to know how long it would be for someone who intercepted a password to decrypt it. Either by rainbow tables or whatever.
Malfist  2009-06-04 16:23:51
How long is a matter of how much money you put into it.But if you use SSL you should be on the safe side - and worry about the weaker links in the chain.If you are really interested what kind of attacks work again a given algorithm you will find cryptanalysis for every major algorithm on the web.But again if you use SSL correctly: worry about the weaker links.
Fionn  2009-06-04 16:41:39
+5  A: 

Steve Gibson explained exactly how the protocol works on a recent Security Now podcast. If you're interested in the specifics, it's definitely worth a listen.

Samir Talwar  2009-06-04 16:32:16
+4  A: 

SSLv2 had issues with MITM attacks able to cause lower quality ciphers to be negotiated. In those days this ususally included a lanudary list of "export quality" ciphers who were intentionally weak and could be feasably cracked via brute force alone.

SSLv3/TLSv1 effectivly solved the negotiation issue and soon after many of the weaker quality ciphers have since been removed from avaliability now that the export restrictions in the US were lifted and the advent of various compliance scanners.

PRF generation in SSL uses both MD5 and SHA1 in a bid to prevent the system from being compromised if one of the hash algorithms were sufficiently compromised. One avenue of attack against SSL is to sufficiently compromise both algorithms as used in the PRF function.. IIRC its just some sort of XOR of the input going through both.

Encryption ciphers are dynamically avaliable and negotiated so any analysis of the quality of encrypted sessions themselves need to take cipher selection into concideration or focus on machinary leading up to the establishment of the initial session encryption key.

(You can compromise a cipher (RSA,AES..etc) but this does not necessarily translate into SSL itself being broken)

In my view the most practical crypto attacks on SSL are side-channel attacks against specific ciphers. AES in particular is known to be vulnerable against timing attacks. These ususally require high quality low latency networks to perform (local ethernet) .. There are "blinding" facilities in many systems which simply add artifical delay to the process to mitigate the possibility of timing attacks being successful. (Basically the length of time it takes for certain sequences of code to execute can be used to recover enough information to compromise the system)

And finally my personal favorite weakness of SSL is attacks against "trustworthyness" of the system. Regardless of the algorithms/ciphers used encryption is useless without trust.

Sure you can establish a secure encrypted session but if you don't know if your talking to a legitimate person or an attacker all of that security becomes a useless paperweight.

In todays day and age we have a situation where dozens of certificate authorities are listed in virtually every browser on the planet. Under each one of those are several intermediate signing authorities operated by each of the CAs/downlines.

There have been incidents where system bugs or just plain lazy CAs and resellers have caused the system to be wide open enabling signing of certificate requests for domains that should not have been authorized.

It only takes a compromise of any one CA, intermediate, reseller...etc to effectivly compromise the entire trust anchor (effectivly planet earth). This can and has been done: sometimes accidently, sometimes intentionally. If your using IE see for yourself:

Tools-Internet Options-Certificates-Untrusted Publishers.. Oops...

There are mitigating factors: cert expiration dates, recovation lists..etc but in my opinion the trust issue remains the top vulnerability of the entire system.

A determined individual or group with good social engineering skills or automatic weapons I think are more likely than not to get any cert they want signed.

Einstein  2009-06-04 17:32:31

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL