The recent breach at Dutch digital certificate authority DigiNotar is just the latest in series of tro
ubling SSL hacks. Earlier this year, Comodo alerted its customers to a serious SSL breach that impacted nine Web domains, including Google and Yahoo. Now with details emerging about the attack on DigiNotar’s SSL and EV-SSL CA system, we think it’s time to take a closer look at SSL security.
In fact, in July NCP engineering* released a whitepaper “Debunking the Myths of SSL VPN Security,” taking on this very topic. So using this whitepaper as a guide, VPN Haus is launching a multi-part series that the asks questions: why do so many high profile breaches occur using SSL VPN? Do users simply not implement the technology correctly? Or does SSL fall short of the marketing hype? We’ll dig for these answers by exploring the following SSL VPN myths:
Myth 1: Using trusted certificates from a certificate authority (CA) is airtight.
Myth 2: One-way certificate authentication of a SOA web service is secure because it uses HTTPS.
Myth 3: Online banking via SSL session is secure.
Myth 4: Java Authentication and Authorization Services (JAAS) framework handles all protocols and mechanisms in a secure manner.
Myth 5: Two-way certificate exchange between a SOA web service and a client can always be trusted.
Myth 6: RSA SecurID provides a secure connection.
Myth 7: Thick-client SSL VPNs are more secure than thin-client SSL VPNs.
Myth 8: Security is the responsibility of a specialist department.
Moreover, Myth 1 deals head-on with issue Comodo, and now DigiNortar, faced with its fraudulent certificates. More on that soon. But for now, we invite you to weigh in with your thoughts as we take a deep dive into the murky waters of SSL, in hopes of eliminating confusion, providing greater clarity, and ultimately, peace-of-mind on SSL and security.
*NCP engineering manages VPN Haus
VPN Haus 
[…] from a certificate authority (CA) is airtight” that got DigiNotar and Comodo into some hot water this year. Because in reality, certificates – even those from a CA– are certainly not […]
[…] our series on SSL Myths, today we deal with the security of SOA web services. SOA’s simplicity lies in its use of […]
[…] SSL myth in our series deals with two-way certificate exchanges between a SOA web service and a client. We‘ve […]
[…] SSL myth in our series deals with two-way certificate exchanges between a SOA web service and a client. We’ve […]
[…] SSL myth in our series deals with two-way certificate exchanges between a SOA web service and a client. We’ve already […]
[…] SSL myth tackles the topic of RSA SecurID. The prevailing myth is that RSA SecurID provides a secure […]
[…] Today’s myth is about the security of thick-client SSL VPNs. Some believe that thick-client SSL VPNs are more secure than thin-client ones, but this is actually untrue. Thick client is defined as an application client that processes data in addition to rendering. An example of a thick client application can be a Visual Basic, JAVA or VB.NET application that communicates with a database. And as you might already know, all of these have are vulnerable to security gaps. […]
[…] the final myth in our series isn’t just about SSL – it’s about security. The prevailing attitude at organizations – no […]
[…] of how this combination is dismantled as a security model are explained in Myth 3 and Myth 6 in our series on debunking SSL myths. Suffice it to say that Skype is not nearly as secure as people think. As we saw in Myth 5, the […]
[…] posting our series on SSL myths, some people have asked how these SSL vulnerabilities apply to mobile phones. While mobile phones […]
[…] It Is” that explores the inherent flaws of SSL VPN. The reality is, SSL has been buoyed by a staggering number of myths and security assurances promised by vendors and assumed as safe by VPN users. But in fact, high […]