Has SSL Outlived its Usefulness? (Which it never really had…)

You know, at some point we should really re-evaluate the use of SSL in our Web architectures. Let’s face it, it hasn’t really done much for us:

1) Users read way too much into its functional value.

2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case.

3) If you are going to compromise some device, you might as well compromised the host and not some intermediate device.

4) The bad guys are now leveraging SSL more and more to shield their activities from good guy sniffers.

Sure, it is needed nowadays for basic authentication protection, but we really shouldn’t be using userid/password pairs in clear text anyway.

5 comments for “Has SSL Outlived its Usefulness? (Which it never really had…)

  1. March 25, 2007 at 12:47 pm

    On point 4, I think its also worth discussing how SSL is being used by malware. A valud cert does nothing but validate who someone is, it doesn’t (at least without human intervention) decide if you should trust the person or host. Getting a valid cert is not hard and therefore installing malware over SSL and avoiding the spyware sniffers if also becoming more common.

  2. Pete
    March 25, 2007 at 1:48 pm

    @Mark – thanks for the clarification. So, does that mean you agree with me?

  3. March 26, 2007 at 12:41 am

    1) Agreed
    2) Might the model shift without SSL?
    3) Kinda confused there (not hard to do with me).
    4) If you are going to have ISP’s block it, then I can maybe see your argument. But if not, taking it away from the good guys does not keep bad guys from using it.

  4. March 26, 2007 at 10:56 pm

    SSL == Useless

    Pete Lindstrom posted over on the Spire Security Viewpoint asking, and answering, the question Has SSL Outlived its Usefulness. He made the following four statements:
    1) Users read way too much into its functional value.
    2) The thr…

  5. March 27, 2007 at 9:28 pm

    Circling Back Around on SSL

    There’s been some constructive feedback out there on my points about SSL. Practically speaking, it doesn’t matter whether SSL is protecting us or not since auditors and regulators typically expect it. Therefore, it doesn’t really matter what we (I) thi…

Comments are closed.