Monday, February 8, 2010

How to Render SSL Useless

This is the title of a recent talk from Ivan Ristic of SSL Labs on common mistakes in the deployment of SSL. This talk expands upon his SSL Threat Model that I posted about a few months ago. The main deployment mistakes Ristic sees for SSL are
  • Self-signed certificates
  • Own CA certificates
  • Mixing SSL and plain-text
  • Not using secure cookies
  • Using incomplete certificates
  • Not using EV certificate
  • Not using SSL
  • Mixed page content
  • Different sites on 80 and 443
  • Using SSL for “important”bits
  • Inconsistent DNS configuration
This is a great presentation which really gets to the heart of why SSL security has lately been the focus of much attention.

(via SSL Shopper)

No comments: