SSL certificates today are the norm for safe transactions. E-commerce websites use SSL to protect credit card information when shoppers check out their cart an pay. SSL is also used in different other domains such as network layer access control; IEEE 802.11i uses SSL (EAP-TLS, EAP-TTLS, EAP-PEAP) for authenticating wireless clients. Most remote access services with VPN (Virtual Private Networks) use SSL for authentication and protection of the remote access session. However, SSL has also disadvantages often overlooked by IT administrators. This article tries to clarify why SSL is not always the perfect tool for your network security needs.

Any technology has its advantages and disadvantages, and SSL is no exception. One needs to understand and assume security and other issues related to SSL before using it. Some of the issues which will be discussed below could be against security policy of several organizations, however, the popuarity of SSL causes many IT managers to adopt SSL without considering the related issues. These are three reasons why SSL may not be good for you.

The Certificate Authority (CA) which delivered your SSL certificate has all what is needed to impersonate your serves. This allows the CA for example to perform MiTM attacks that would allow it to obtain user credentials. Spying and infiltration is a tool for unethical organizations and government agencies that becomes more and more in demand as competition increases. Most CAs will make you sign an agreement that protects them from any legal pursuit. Some offer insurance (about 100.000$) in case of a security incident in which the certificate was the root cause. So if your organization does not trust external entities and does not want to gamble with sensitive data, then you need to look for something other than SSL certificates delivered by the popular CAs.

One may thik 'Ok, then I should be my own CA, use available tools like openssl and make my own certificates'. Sure, you can be your own CA and sign your own certificates. However, with self signed certificates, users will have to install the organization's root certificate in their machines in order to be able to verify the server certificates when they use network services. The procedure for importing a certificate depends on the operating system and the software in use. It may be complicated for certain users and can become a source of complaints and increased support requests. Installing certificates on client machines is not required if the organization is using certificates provided by a known CA because these CA's root certificates are pre-installed in most operating systems. So, to conclude, if you do not want to trust a well known CA and you have thousands of users, you probably better off looking for other alternatives.

SSL is a heavy consumer of CPU processing power. The stronger the key the more processing power is needed to perform public key operations. You can test the performance of your system by issuing the following command

openssl speed rsa1024

For a Dual Core 2.6GHz with 2GB of RAM running linux, the performance results are as follows :

sign/second      524.5 
verify/second    11860.0

Small devices suffer the most with regard to performance. A 16bit CPU (the H8/3048) at 16GHz and 512KB or RAM takes about 1 second for a single encryption/signature operation and 100ms for decryption operations.

If your devices are not PCs (appliances, sensors, etc..), or if your servers, while having modest performance, are subjected to large amount of public key cryptography, then you probably need to look for other alternatives than SSL.

It is always good to investigate the suitability of any technology for your organization. Each organization has different security policy. The popularity of a technology does not make it safe or good for us by default. There are certainly more points to examine with regard to SSL than the ones raised above. If SSL is not suitable for you, rest assured that there is always a solution. It is always a question of trade-off when it comes to choosing.

Labels: security