Skip to main content
banner image
venafi logo

Common SSL Attacks: SSL & TLS Key Vulnerability

Common SSL Attacks

What Kind of Attacks Does SSL Prevent?

SSL is the standard in online security.  It is used to encrypt data sent over the Internet between a client (your computer) and a server (a website's computer).  this automatically prevents many types of attacks: if a hacker intercepts encrypted data, the hacker can't read it or use it without the private decryption key.

SSL makes many websites more secure.  It often protects data from being stolen, modified, or spoofed.  No website can ever be perfectly safe, but any website that stores personal information or other sensitive data should have SSL to add a greater level of security to the site.  

Assaults on trust through the SSL/TLS-encrypted traffic are now common and growing in frequency, sophistication, and sheer brazenness. The low-risk, high-reward nature of SSL/TLS vulnerability ensures that these trends will continue, placing organizations at risk of breach, failed audits, and unplanned system downtime. The following examples describe a few of the most common techniques, the impact on businesses, and suggestions on how to prevent them.

Advanced Persistent Malware 

Increasingly, malware is being designed specifically to steal SSL/TLS keys and certificates for use in communications fraud and data exfiltration. For example, Advanced Persistent Threat (APT) operators exploiting Heartbleed malware stole digital keys and certificates that resulted in a breach of 4.5 million Community Health System (CHS) patient records. The Heartbleed exploit was used against a system behind the CHS firewall to expand the attack to reach these highly regulated patient records.

Heartbleed remediation requires that all keys and certificates be replaced, not just for a system to be patched. Incomplete remediation means that business and government services can be spoofed with the trust that a valid digital certificate provides, and sensitive communications can be decrypted.

To protect against advanced persistent malware, organizations need to identify all systems using SSL/TLS, install new keys and certificates on servers, revoke vulnerable certificates, and validate new keys and certificates are installed and working.


What are SSL Stripping Attacks?

In a two-part blog series, we cover the basics of SSL stripping attacks. The internet is secured by HTTPS protocol, but in an SSL stripping attack, that layer of protection can be peeled away by cybercriminals and leave users exposed. 

"[SSL stripping] takes advantage of the way most users come to SSL websites. The majority of visitors connect to a website’s page that redirects through a 302 redirect, or they arrive on an SSL page via a link from a non-SSL site. If the victim wants, for instance, to buy a product and types the URL in the address bar, the browser connects to the attacker machine and waits for a response from the server. In an SSL Strip, the attacker, in turn, forwards the victim’s request to the online shop’s server and receives the secure HTTPS payment page...

At this point, the attacker has complete control over the secure payment page. He downgrades it from HTTPS to HTTP and sends it back to the victim’s browser. The browser is now redirected to From now onward, all the victim’s data will be transferred in plain text format, and the attacker will be able to intercept it. Meanwhile, the website’s server will think that it has successfully established the secure connection, which indeed it has—but with the attacker’s machine, not the victim’s."

Man-in-the-Middle (MITM) Attacks

Successful MITM attacks gain the trust of communicating parties by impersonating a trusted website and eavesdropping on secure conversations. Access to SSL/TLS keys and certificates facilitates MITM attacks, and unsecured or lightly protected wireless access points are often exploited for entry.

There are several ways a bad actor can break the trust SSL/TLS establishes and launch a MITM attack. For example, a website’s server key could be stolen, allowing the attacker to appear as the server. In some cases, the issuing Certificate Authority (CA) is compromised and the root key is stolen, so criminals can generate their own certificates signed by the stolen root key.

MITM can also result from a client’s failure to validate the certificate against trusted CAs, or when a client is compromised and a fake CA is injected into the client trusted root authority. In many MITM attacks, malware performs this action to redirect users to fake banking web sites, where sensitive information can be easily stolen.

For enterprises, MITM attacks misuse trust to steal intellectual property, sensitive personal information, and damage an organization’s reputation. For highly regulated industries like healthcare and finance, these attacks can also result in costly penalties. To remediate these exploits, organizations need to identify and revoke all certificates used on impacted servers, create new keys for certificates, and verify that new keys and certificates are being used.

SSL generally prevents man-in-the-middle (MITM) attacks.  During an attempt at a MITM attack, a hacker tries to intercept your data stream.  They might set up a listening computer in a coffee shop, for example, to secretly force information to pass through it instead of directly between your computer and a website server.

But SSL encrypts the data being sent.  That means that even if someone is able to listen in on the data stream, the encrypted data is not readable by them.

In its intended operation, then, SSL prevents data from being stolen or manipulated many times per day.  It creates secure connections between client computers and website servers.

Of course, thieves steal, and some of them steal decryption keys, letting them get around or exploit SSL vulnerability at times, as we have written about elsewhere.  But remember that many more times, SSL prevents data theft.

Self-Signed and Wildcard Certificates

Server administrators frequently create self-signed “wildcard” certificates on-demand using free, OpenSSL. While quick and easy, this practice significantly erodes trust because no trusted third-party CA ever verifies these certificates.

Using a wildcard certificate on a publically facing webserver increases the risk that cybercriminals will use the server to host malicious websites in phishing campaigns. To eliminate this problem, organizations should avoid using wildcard certificates on production systems, especially public-facing ones. Instead, use subdomain-specific certificates that are rotated often.

Unknown, Untrusted, and Forged Certificate Authorities

Maintaining the trust required for today’s global business demands a known and reputable CA that both parties can rely upon to authenticate the conversation. Over time, an enterprise might discover that it has been using certificates from dozens of unknown and untrusted CAs. For example, China’s Certificate Authority—CCNIC—was recently cited as an untrusted CA.

In 2014, an Internet security organization named Netcraft, found dozens of fake digital certificates impersonating banks, ecommerce sites, ISPs and social networks deployed across the Internet. Even well-known CAs like GoDaddy can be compromised. Fake certificates purporting to be for GoDaddy’s email service could allow an attacker to masquerade as GoDaddy if applications don’t verify a certificate’s trustworthiness.

To remediate the problem, organizations must identify and remove all certificates associated with unknown and untrusted CAs, and replace them with new certificates from trusted sources.

Attacker Encrypted Communications

Cybercriminals are using encryption to attack organizations at an ever-increasing rate. SSL/TLS is being turned against enterprises to deliver malware undetected, to listen in on private conversations, to disrupt secured transactions, and to exfiltrate data over encrypted communication channels. For example, the pervasive Zeus botnet used SSL communication to upgrade the attack after the initial email infection. Following the Boston Marathon bombing, a malware attached to a spam message also used SSL to communicate with its command and control server.

With more and more encrypted traffic, this trend is likely to expand rapidly. Gartner estimates that by 2017 more than 50% of the network attacks targeting enterprises will use SSL encryption, up from less than 5% today. For organizations that lack the ability to decrypt and inspect encrypted communications to assess these threats, this blind spot undermines traditional layered defenses and increases the risk of information breach and data loss.

To mitigate the impact of attacker encrypted communications, organizations should first evaluate the security risks from uninspected encrypted network traffic and update relevant risk indicators. In addition, the must also leverage existing network security solutions to enforce the outbound web policy on SSL traffic. With policies in place, companies should establish a prioritized list of the traffic profiles they need to decrypt. They should initiate a multiyear plan to improve coverage of encrypted traffic, starting with decrypting inbound and outbound Web traffic. And quantify current encrypted traffic mix with the anticipation it will grow 10% to 20% yearly.

Expired SSL/TLS Certificates

Expired certificates either cause unplanned system outages or open a door through which hackers can enter your network, or both. In 2013, Microsoft Azure experienced a worldwide outage due to an expired certificate. As a result, this leading cloud provider was down for hours and issued service credits. In 2014, tens of thousands of payment terminals used to process credit card payments in the U.S. stopped working because of an expired certificate.

An SSL/TLS session that uses an expired certificate should not be trusted. Accepting an expired certificate makes users vulnerable to man-in-the-middle (MITM) attacks. To remediate this issue, all expired certificates should be identified and removed from servers.

Phishing Scams

In phishing, malicious actors trick people into going to a website and entering private information into a form.  They might impersonate a major company, like a bank or PayPal.

During a scam, when consumers get sent to a website that is not secured by SSL, they are able to notice it.  The website's address bar won't have the lock icon or the "https."  When a site is secured by SSL, visitors can click the lock icon to see the company's security certificate and ensure that it's valid.

Some web browser applications also warn consumers if they're leaving secure sites.  SSL can't completely prevent phishing, but it makes browsers and consumers more cautious to use only authenticated sites.

What is Strict SSL?

Strict SSL adds a greater level of security to any website by validating the origin server.  It lessens the likelihood of an SSL exploit by making sure the connection is safe between both the visitor and the domain and the server and your network.

The simplest layer of SSL protection simply encrypts data as it is passed between a web browser and a website server.  However, man-in-the-middle attacks attempt to trick your web browser by offering it a duplicate of a website and causing you to unknowingly interact with their website rather than the real one (e.g., a fake version of the PayPal website.)

That's why strict or full SSL also makes your web browser check the authentication certificate of any website to make sure it has a valid, current, SSL certificate.  Often, a man-in-the-middle attack can't duplicate this certificate, and the web browser displays a warning, preventing a person from using that website further.

Can SSL Be Intercepted?

There are certain SSL vulnerabilities to be aware of.  For instance, SSL can be intercepted, either for legitimate or illegitimate reasons.  Interception is achieved through the use of "middleboxes," which are between the website and the client's machine.  These middleboxes have proxy software that can delete and restart the SSL connection, allowing a middleman access to private information.  This SSL certificate vulnerability can be avoided by using strict SSL.

Does SSL Prevent Session Hijacking?

Yes, SSL can prevent session hijacking, which is also commonly known as cookie hijacking.  SSL encrypts the data on a website login page, which prevents hackers from knowing the password.  This method is especially effective for banks and e-commerce sites.  

You can protect yourself by:

  • Always checking that you web browser shows "HTTPS" in the address bar
  • Heeding any certificate warnings you see
  • Taking advantage of the latest antivirus application
  • Being very careful of you data when you're on a public Wi-Fi

Also, be careful of downloading free software that may have advertising software in it.  These can hijack your data and make your computer vulnerable to man-in-the-middle attacks.


Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more