Strict Secure Sockets Layer (SSL), also known as “full SSL,” is a more stringent version of SSL encryption. Turning strict SSL mode on means additional validation of the origin server’s identity to prevent active traffic snooping and modification on the Internet.
Strict SSL was born out of the need to protect against on-path attacks (more on these below.)
Read More about an “Strict SSL”
Before diving into the nitty-gritty of strict SSL, let’s tackle the basics first.
What Terms Should You Know Concerning Strict SSL?
Here are some definitions you need to take note of.
- SSL: The standard Internet technology that keeps connections secure and safeguards sensitive data sent from one system to another. It prevents cybercriminals from reading and modifying the information being transferred, including personal details.
- TLS: Stands for “Transport Layer Security,” an updated and thus more secure version of SSL.
- HTTPS: Stands for “HyperText Transport Protocol Secure,” which appears in a website’s Uniform Resource Locator (URL) in place of HTTP, meaning the site is secured by an SSL certificate. All HTTPS websites have a lock icon before their URLs.
- Certificate authority (CA): An entity that issues digital certificates, including SSL/TLS certificates. Known and trusted CAs aren’t controlled by the organizations that wish to secure certificates from them.
- SSL certificate: Proves a website’s security as evidenced by the lock icon before its URL. It contains details that include the issuing authority’s name and the site owner’s corporate name. Upon clicking the lock symbol on the browser bar, you can see this information. Here’s an example:
These SSL certificate details belong to Google Docs, which means that the application is SSL/TLS-secured, so any information you send and receive from it is encrypted. Hackers can’t read anything you type and save on it.
The lock icon ensures that your data and documents are safe from prying eyes and are less susceptible to on-path attacks.
What Is an On-Path Attack?
Strict SSL, as mentioned earlier, was explicitly crafted to stop on-path attacks.
An on-path attack occurs when cybercriminals put themselves in between a user and a website, allowing them to impersonate both. The site server thinks it is communicating with the user’s browser on an encrypted channel when it’s not. Simultaneously, the user’s browser thinks it’s communicating with the site server when it’s not. Instead, both the website server and the user’s browser are talking to the hackers sitting in the middle. The attack thus allows the attackers to read and modify all the data passing from one system to the other.
On-path attacks are easy to launch against non-HTTPS sites.
How Does Strict SSL Stop On-Path Attacks?
The SSL/TLS CA system was specially designed to stop on-path attacks.
SSL/TLS servers use the private key associated with their certificates to establish valid connections. This key is kept secret, so attackers can’t use it. When instigating on-path attacks, therefore, they have to use their own key. But convincing a CA to sign their certificate is difficult, so they are forced to use unsigned SSL certificates. Today’s browsers can immediately spot SSL/TLS certificates that aren’t validated by known and trusted CAs, thus thwarting on-path attacks.
What Are Examples of Known and Trusted CAs?
There are many CAs to choose from, but if you want your SSL/TLS certificate to be instantly acknowledged by strict SSL users’ browsers and site servers, you will need to obtain one from providers like:
- Let’s Encrypt
Your choice would, of course, depend on your financial capability and business requirements. Let’s Encrypt, for instance, is free to use as it’s open source. But it only offers basic certificates. Comodo and Digicert offer more variants but may come at a premium.
Any organization that wants to stay protected from on-path attacks can benefit from strict SSL implementation. Given the many ways cybercriminals steal confidential data and the proliferation of cyber attacks, it may be critical for all site owners to employ the technology.