Most of us use some form of online banking. Whether it be simply viewing a monthly statement, or, paying a bill online. We entrust the banks with financial transactions and personal data. But, how do we know secure is secure?
The first check any user should do when visiting a site which they consider should be secure is to check the site is using the Secure Socket Layer (SSL) protocol. SSL is a cryptographic protocol which provides secure communications on the Internet; in simple terms it keeps your data private! Any modern browser will display a green padlock symbol within the address bar. A few examples:
As you can see the presentation of the padlock icon differs slightly within each browser, but, the message remains the same! Do not trust any site without the padlock icon if you expect it to be secure. The result of submitting personal data such as a username and password on a non-SSL site will result in your data being sent to the destination in plain-text format. Thus, anyone monitoring your connection can see your username and password.
SSL capable sites operate by using a signed certificate. It’s this certificate that the browser detects and verifies before displaying the padlock icon. Each certificate is purchased from a certificate signing authority. These vendors offer different options when purchasing a certificate. There are normal SSL certificates and Extended Validation (EV) certificates. Certificates issued with the EV option are not structurally different from normal certificates and they offer no stronger cryptography. It does mean that the certificate owner has chosen to undergo a more rigorous vetting to prove their real identity. This validation is what any competent bank would do. And the reward for doing so, is the browsers will display the name of the validated identity e.g.
That’s the basics to understanding SSL. However, there are different cryptographic standards available when creating a certificate. As time goes by the crypto technology improves, thus, a certificate purchased a few years ago may not be using the same cipher. In some cases certain ciphers have been superseded. Some have even been proved to have weaknesses – meaning they can be theoretically hacked. In certain scenarios these weaknesses are being exploited; rendering the ciphers useless. What can we deduce from this? Well, this means the padlock symbol is not a guarantee that your data is safe. To make sure any SSL connection you use is secure and not susceptible to any known weakness we really need to know the cipher the certificate uses. The is a painful task if done manually. No-one has the time to check the cipher used by every SSL certificate. The task implies you know what ciphers are strongest and which are weak. There is no need to panic! SSL labs provide the ability to scan SSL capable sites. This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. The results of which are graded A to F.
Returning to the bank scenario we’ll take a look at the grade SSL lab’s gives to some of the biggest banks who operate in the UK:
An interesting set of results which show not all Banks SSL security are equal! And, in fact some are susceptible to the BEAST attack. Short for Browser Exploit Against SSL/TLS, SSL Beast is an exploit that leverages weaknesses in cipher block chaining (CBC) to exploit the Secure Sockets Layer (SSL/) protocol. The vulnerability can enable man-in-the-middle attacks against SSL! Yikes! Would you expect banks to be susceptible to this?
The take-home from this is that it’s easy to buy an SSL certificate! All you need is a registered domain. It’s a little harder to obtain an EV certificate; however, with or without EV, having an SSL connection doesn’t necessarily mean your communication channel is secure. If your data is important and the site you are connecting to has anything less than an A grade then you should inform them! Modifying a server’s SSL setup is trivial and most competent computer technician will fix any issue with ease.