Security Risk Management

Risk 101: SSL Key Indicator in Security Effectiveness

Oren Falkowitz | March 18, 2014

This post is part of the Risk 101 series.


Our use of the Internet can be characterized as a state of constant data exchange.  While the exchanges of data between users and machines are often passive, when we are consuming information or clicking around from page to page, increasingly we need to exchange private or sensitive data. SSL (Secure Socket Layer ), and its successor TLS (Transport Layer Security), have become the de facto standard for encrypted and authenticated communications across the Internet.

SSL / TLS are cryptographic methods that are commonly found within web browsers and e-mail to prevent eavesdropping and tampering when we send PIN numbers, credit card numbers, personal data, and other confidential information across the Internet.

You’re probably aware of SSL / TLS when sending and receiving data across the Internet when you see “HTTPS:” or a lock in the URL bar as a visual cue.

SSL in Browser

However, you likely never considered how SSL / TLS was implemented, which while deceptively simple, has many common pitfalls that pose serious risk to the secure transfer of data across the world wide web and serve as a key indicator of security effectiveness. Risks in SSL / TLS implementation include:

  1. Strength of Encryption
  2. Purchase of Certificates from Unreliable Vendors and Not Developing a Strong Certificate Chain
  3. Using SSL 3.0 or Earlier Instead of TLS 1.0 or Later
  4. Incomplete Deployment across the Breadth of a Website or Application

Ivan Ristić, the founder of SSL Labs, details best practices for SSL / TLS deployment.

Analysis of SSL Across S&P 500

Earlier this month a pulse of the top 1 million websites performed by the Trustworthy Internet Movement showed that 29.1 % of the sites surveyed had improperly implemented SSL / TLS. Additionally, BitSight’s analysis of the S&P 500 found that nearly one third of companies had improperly implemented SSL / TLS, and 20% had failed to implement broadly across their websites or applications.

BitSight-SSL-Implementation-in-SP 500

SSL is well known and should be a part of all companies’ security programs.  The fact that so many organizations are failing in this area, especially in light of recent breaches in the retail industry (where PCI compliance requires that organizations have properly implemented SSL / TLS), is representative of the bigger issues we all face with cybersecurity.  If something as commonly accepted as SSL is not properly configured, what else could be exposing us to risk of breach?

** If you want to test the strength of your SSL / TLS implementation you can use the following open source resource provided by Qualys SSL Labs

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.