Is SSL Secure enough? (Part 1 of 3)
Patrick McCanna here. I’ve been asked to write a series of blog posts on building secure mobile applications. If you can withstand my writing style, you will find these posts both helpful & entertaining.
Let’s start with two observations.
- Developers love to party.
- Security nerds love to party.
What happens when these two communities mingle?
The Ultimate Question gets answered!
“If I use SSL, is my mobile application secure enough?”
This question is easy to answer (spoiler: no) but that answer is not helpful without some background discussion (spoiler: it depends). It’s hard to talk about security at a party. It’s usually really loud at parties and this security nerd has pretty bad hearing. “We need to do this somewhere quiet and more serious. “ You object. “Let me give you a URL to read later.”
It is the next day.
You are staring at this web page.
If I use SSL, is my mobile application secure enough?
Let’s first deconstruct the concept of “security” and then try to decide if we’re doing enough of it. We need to understand what security means.
Security professionals define the scope of security problems to be anything that affects the Confidentiality, Integrity or Availability of a system. This is typically referred to as the “CIA Triad”.
Confidentiality is defined as “the state of being secret.” The goal of Confidentiality is to protect secrets from becoming public.
Integrity means that data cannot be modified without authorization. The goal of Integrity is to make sure that data cannot be tampered with. This goal can be extended to a more complicated objective: We want to ensure that a system is resilient against tampering which would maliciously alter the program’s execution.
Availability means that the system must be able to deliver service or data without interruption. The goal of availability is to make sure that the solution is useable at all times that it must be accessible.
Any discussion about the security of an application must evaluate the solution in the context of all Confidentiality, Integrity & Availability objectives. Let’s modify our original question to reflect this new knowledge. Instead of:
“If I use SSL, is my mobile application ‘secure’ enough?”
We could ask
“If I use SSL, does my mobile application have adequate controls to ensure the confidentiality, integrity & availability of the solution?”
We now have a more clear statement of our question & it helps us better understand our goals. It is now easier to evaluate if SSL provides us with “enough” of what we need!
SSL is a solution that can do a few Important Things-
- It can use x.509 certificates to authenticate the client
- It can use x.509 certificates to authenticate the server
- It can be used to sign and encrypt data that is transported between the authenticated client & server.
SSL is able to provide you with Confidentiality & Integrity (for data in transit) but only if it is implemented correctly. It is important to understand that even if you implement SSL correctly, it only provides Integrity and Confidentiality for your application’s data in transit- it does not provide Integrity or Confidentiality controls for your application on a server or on a mobile device.
Your solution must be evaluated for correctness. The simple answer to the original question is “No.” You can’t turn on SSL and be protected from all attacks. SSL doesn’t provide significant Availability features. That gap may not matter. We need to look at the whole application to assess our needs. Consequently the nuanced answer to “is our application secure enough” question is “It depends.”
Later in the week, we’ll talk about “It depends”. We’ll focus mostly on the current state of the art in attacks against SSL. Later in the week we’ll talk about how to build “secure” applications that use SSL.
Patrick McCanna is a Lead Member of Technical Staff in the Chief Security Office at AT&T. He advocates security in AT&T mobility Device, Service & Network offerings. He has a B.S. in Computer Science with a Math minor from Linfield College. He has worked in the security industry for 12 years and the mobility industry for 6 years. Patrick has delivered presentations on mobile security on Capital Hill & at RSA, Bluehat and VON.