A blog with stuff. Lots of very random stuff.

Time for me to finally get a rant off my chest, after having once again seen this appear …

Have you ever been concerned about the privacy or security of a website and read their policies only to find statements like these  “we use military grade encryption”  or “we use the same encryption banks do” ?   Despite the reassuring boldness of the statements, they mean next to nothing and amount to weasel words.

They’re simply talking about a technology called Secure Sockets Layer – or “SSL” for short.  SSL has been around a long time, and is the accepted standard for encrypting network communications.   It is, generally speaking, a solid technology that really does do quite a bit to protect your data while it’s travelling over the internet.  Do banks use it ?  Absolutely.  Do military organizations ? Absolutely.    Does it make a computer system secure ? Absolutely NOT !   

It’s important to understand what Secure Sockets Layer does and doesn’t do, and how this all relates to computer security as a whole. Secure Sockets Layer is an encryption technology that can be implemented in many ways.  The most common by far, however, is to encrypt web traffic so that it can’t be read by eavesdroppers.  In fact, anytime your browser is pointing at a web address that starts with httpS://  (emphasis on the S) then you’re actually using SSL with that website.

As an example, let’s say you’re on a shared network (like in a hotel or cafe) with strangers on the network.  Whether you realized it or not, they can likely see all the traffic going between your computer and other computers (this used to be trivial for anyone to do, with the maturity of technology these days it can take a little effort to do, but is still a huge security concern).   If you visit a website without the S – just the regular http:// then the browser is sending information to and from the website unencrypted; and anyone on that hotel network or in the cafe could potentially eavesdrop on it.  With SSL however, the traffic is encrypted and reasonably protected from eavesdropping.   In fact, when properly implemented, SSL can even help you be sure that the website you’re communicating with is the website you expected it to be (and not, say, an imposter website pretending to be your bank).
Now SSL is an encryption technology, but not all encryption is created equal.  There are different types of encryption schemes, and strengths as well.  These are constantly changing and maturity to reflect growing needs.  Also, the actually SSL itself has different versions; there’s SSL version 1, SSL version 2, and SSL Version 3.0 (which usually goes by a slightly different name, but that’s unimportant to this article).  When a marketing weasel say they use “military grade” or “bank grade” encryption, they’re saying that they use the highest level of SSL – version 3.0 and specific ciphers with large keys – just like the big boys do.  And that’s a 100% truthful statement.  

The reason they are weasel statements, however, is because I’ve only described everything SSL does.  Don’t get me wrong; it’s a fundamental security requirement but it’s NOT the ONLY fundamental security requirement – the fact that a website uses SSL means next to nothing by itself.  Let’s look at some things SSL doesn’t do:

a) it doesn’t protect your data sitting on their server.  it only protects it from eavesdropping while it’s beng sent to the server.

b) it doesn’t prevent your information from being displayer to other users due to a programming error.

c) it doesn’t protect your data from an outside attack against the web application or web server.

d) it doesn’t help if the company has a “bad egg” working inside it.

e) it doesn’t ensure the company routinely patches their systems, routinely tests their systems, etc.

f) it doesn’t ensure that the company follows best practices for disposing of hard drives.  all the SSL in the world doesn’t help if they dump their old hard drives – with your data on themm – in the trash.

g) it doesn’t ensure they have any access controls on their systems, that they have strong password policies, that they run antivirus (and that it’s updated !) , that they have solid backups in place to prevent data loss,

h) it doesn’t ensure that your data isn’t housed overseas

Are you starting to get the picture ?  Oh, and by the way, I have witnessed every one of the above scenarios result in a breach – these aren’t fictional.

Computer and network security is a vastly large, complex and difficult challenge as proven by the countless organizations – big and small – technologies and non-technology companies alike- that get breached. Banks and governmental organizations spend millions to billions of dollars a year on it; it’s regulatedy by reams and reams of formal policy, technical guidelines and heaping spoonfuls of technical expertise … the use of SSL is but just one small checkbox amongst many standards, practices and ongoing operations.   

For a company to state “we use military grade encryption” as their sole security assertion is not only laughable, but insulting to one’s intelligence.   And with that, my rant is done 🙂

Advertisements

Comments on: "“We use military grade encryption”" (3)

  1. Michael Burnstein said:

    Matt,

    I just ran across this article and found it very helpful. Thank you. I see it’s from 2011 and so presumably there have been some changes, but I’m guessing the basic message is still the same. I’m developing a web application that will hold confidential (but not really useful) information. Information about a client’s net worth will be there, but not social security numbers or account numbers. I want “bank grade” security or better, but I also need to be sure I’m covering the other bases too. Any suggestions on who can help me be sure I get this right?

    Michael Burnstein
    Michael@burnstein.com
    San Francisco, CA

  2. Matt, Excellent article.

    What would you suggest as an honest phrase that represents that you are taking security seriously, and that you are addressing the list you presented here? I am trying to use a phrase that represents that, but is not marketing BS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: