It’s been a bad year for SSL and that means it’s been a bad year for web user confidence. SSL is — or was — the trusted heart of the Internet’s security and privacy, protecting everything from emails and Facebook to eCommerce transactions and online banking. In the wake of multiple critical vulnerabilities that made their way to the mainstream media, many are looking askance at the claims of online service providers and retailers where security is concerned. The constant patter of reports of inadequate implementation, the follies of backward compatibility with ancient protocols, and plain old developer screwups does nothing to improve the confidence of users.
All of which is a problem for Google and other providers of online services, the business models of which depend on web users entrusting them with data that’s often highly sensitive. Google in particular is all in on a strategy of HTTPS Everywhere (originally an EFF initiative), with SERP incentives for implementing SSL and a campaign to encourage webmasters to encrypt connections whether or not they think it’s necessary. None of which means much if SSL implementations can’t be relied on to actually protect our data.
The Core Infrastructure Initiative, which Google is part of and which aims to support the developers behind some of the most important pieces of software on the net is part of the solution, but it’s not enough to make sure that SSL is secure going forward: as we learned with POODLE, the web moves so slowly to fix problems that we need some way of discovering whether existing services are vulnerable.
That’s the job of nogotofail, a security auditing tool recently open-sourced by the Mountain View giant. Nogotofail — the name’s sly poke at Apple and its SSL problems — is intended to be used by developers and system administrators to ensure that systems are not vulnerable to any of the stable of recently revealed potential exploits.
The tools works in much the same way as the average attack against SSL. It uses a man-in-the-middle, which can be deployed on routers, servers, or in the cloud, and which carries out known attacks against supposedly secure connections. Except in this case if the MitM attack is successful, nogotofail lets the user know, rather than hoovering up their data. Google’s been using nogotofail for some time in its own networks — it’s actually a product of the company’s Android development team.
Nogotofail is a great addition to the toolkits of developers and web service providers, who can deploy it to thoroughly test out their own SSL implementations and make sure they aren’t giving users a false sense of security.