The Origins of Web Security and the Birth of Security Socket Layer (SSL) Protocol
Cybersecurity History: Read about how Netscape began development of the SSL protocol. In 1994, Netscape had SSL version 1.0 ready, but it never made a public debut as it had several significant security flaws, which eventually led to the evolution of HTTPS based on SSL 2.0 and its successor TLS.
As people who live and breathe cybersecurity, at Exabeam we’re naturally fascinated by its history. In fact, we built a History of Cybersecurity 2019 Calendar to share our research. Each month features dates when significant events in cybersecurity occurred.
This is the second blog in a series of posts featuring information on fascinating historical events in cybersecurity. You can read the first one here. If you think we missed an important fact (or didn’t get something quite right), please let us know. You can also share your feedback with us on Twitter.
What is SSL and is it really secure?
In July of 1995, with just a few clicks, a computer programmer ordered the first book ever sold by an online bookstore named after a river in South America called the Amazon. At the time, few realized how the internet and the information space named World Wide Web would change the lives of people forever.
One of the things that made the internet revolution possible was a security protocol that allowed people to do novel things like buying books online using a secure payment. It all started when Taher Elgamal, an Egyptian cryptographer who was also the chief scientist at Netscape Communications, drove the development of the Secure Sockets Layer (SSL) internet protocol.
Web security 1.0
Netscape began development of the SSL protocol shortly after the National Center for Supercomputing Applications (NCSA) released the first web browser, Mosaic 1.0, in 1993. In 1994, Netscape had SSL version 1.0 ready, but it never made a public debut as it had several significant security flaws. These flaws included vulnerabilities to replay attacks and a weakness that allowed hackers to change users’ plaintext messages.
According to Phillip Hallam-Baker, a computer scientist well known for his contributions to internet security, the problem was that the entire foundation of SSL 1.0 was built on theory, and had never been properly tested in the real world. In 2011, he wrote, “The actual history of SSL was that SSL 1.0 was so bad that Alan Schiffman and myself broke it in ten minutes when Marc Andreessen presented it at the MIT meeting.” Andreessen is the co-author of Mosaic and also co-founder of Netscape.
However, in February of 1995 Netscape released a Version 2.0, which became the core of the language for securely using the web, called Hyper Text Transfer Protocol Secure (HTTPS). It is the secure version of HTTP, the protocol used to transmit data to and from a browser and a website. The biggest benefits of HTTPS are that all communications between your browser and a website are encrypted, and it verifies that you haven’t been redirected to a fake website, such as one attempting to steal your credentials.
Browser and the Beast
It turned out that SSL and its successor, Transport Layer Security (TLS) (or at least the early versions) are secure only in theory. These protocols were known to have flaws, but security experts thought they wouldn’t make communications vulnerable, because it seemed almost impossible to create the conditions necessary to exploit them.
Nonetheless, two accomplished security vulnerability experts, Thai Duong and Juliano Rizzo, figured out how to do it. They presented their BEAST (Browser Exploit Against SSL/TLS) in a research paper published at a 2011 conference in Argentina where they explained how an attacker can compromise SSL and TLS browser connections by exploiting a vulnerability common to both protocols. It was a tectonic event, revealing that the internet tools used by millions of people around the world were not as secure as once thought.
Despite problems like BEAST, almost a quarter century after the introduction of SSL 2.0, HTTPS (which uses TLS, the successor to SSL) still powers the world’s web browsing, online commerce, and much more. Increasingly, it is used even for web browsing that doesn’t involve the need for secure communication or secure payment.
So, when you log onto websites these days, you will increasingly see a URL that starts with https://. This is partly because with the ever-expanding use of fake websites for various nefarious purposes, the https:// shows the browser user that they have reached a legitimate website. This is because establishing a secure connection between a browser and a web server requires the website owner to apply for a TLS/SSL certificate. These certificates are issued by trusted third parties called Certificate Authorities.
The ability to trust the validity of certificates makes it possible to authenticate the identity of computer systems, data, and websites by connecting pairs of security keys. The process involves a public and a private key used to validate the identity of the website or email originator. In short, anyone can access a public key, which is used to encrypt the data. The private key, which is the confidential property of the owner, is used to decrypt the data. Secure websites also utilize these certificates to validate their identities.
However, even with the current versions of SSL and TLS, there are still security risks related to certificates, including:
- Weak RSA Key Length Attacks – SSL certificates signed using RSA keys less than 2048 bits are considered weak; with the advances in computing power, they are increasingly vulnerable to being broken within a short period of time.
- Improperly Signed SSL Certificates – Certificates should be signed by a valid Certificate Authority.
- Untrusted Certificate Attacks – Untrusted certificates can be used by hackers to access private communications.
- Expired Certificates Attacks – Similar to untrusted certificates, hackers use expired certificates to break the security of communications between users and websites.
- Weak Hashing Algorithm Attacks – A hashing algorithm provides a certificate with a digital signature that ensures its contents have not been altered. Some hashing algorithms have been broken, which can lead to attacks using fraudulent certificates.
Additionally, in recent years a series of attacks took place against Certificate Authorities, resulting in the issuance of many rogue certificates, which put the whole trust-based security of SSL and TLS-based security at risk.
Click here for more information and trivia from the Exabeam History of Cybersecurity 2019 Calendar.
Consider yourself a cybersecurity history buff? Share your feedback with us on Twitter!