OpenSSL: What Is It and Why Is It Needed

OpenSSL

Numerous website vulnerabilities and safety breaches, such as the recent Heartbleed Bug, might leave many web business owners thinking about OpenSSL – what is it and why is it needed? If there’s constantly so many issues, perhaps it is better to just do without it? However, there is a good reason why the technology has been invented, and the occasional issues that crop up with it are a drop in the bucket compared to the problems it solves.

All the information that goes into a browser (the actual website content) or goes out of the (the forms filled or emails sent) travels through a network of cables in so-called “packets” all the way from a user’s computer to a server somewhere in, say, Idaho. However, it does not do this directly, as there never is just a single cable connecting every computer together. Instead, it bounces around from one machine to another, passing all the information along. And as it passes through countless devices, each one can actually read its contents. The emails, the credit card information, the Facebook comments are all exposed.

And this is where the question of what is OpenSSL and why it is needed comes in. It is a free implementation of the Secure Socket Layer (SSL) standard used on countless web servers. Instead of transmitting the packets in plain, human-readable text, it allows the information to be encrypted using a strong algorithm. Both the user computer and the destination server perform a so-called “handshake” where they agree on a long and complicated key to decrypt the data when it safely arrives at the destination. As a result, even if a malicious hacker was to gain access to a connecting device and read the packets traveling through it, they would simply look like gibberish. While it is possible to decrypt them without the key, such an attempt can take days, if not weeks, of continuous efforts. Needless to say, it is a strong deterrent.

Vulnerabilities such as Heartbleed or the new bug found just recently, allow a hacker to potentially weaken the encryption of the traveling information or even obtain the key. Decrypting the packets becomes much easier, and the information once again could be exposed. Thus the hackers can tap into any email communication, steal credit card numbers, and much more.

It might be scary to think about all these issues with the technology major companies and internet users depend on every day. The Heartbleed bug, for example, was discovered two years after it was accidentally introduced into the OpenSSL protocol. This begs the question of how many more issues or vulnerabilities are being exploited every day without anyone knowing.

Sadly, the Internet has always been, and will always be, an unsafe place. Even major companies that spend millions of dollars on their virtual architecture, such as Sony or LinkedIn, cannot fully protect their servers from cyber attacks. No matter how good the security gets, there will always be someone smart enough to circumvent it. Signing up for any website or using any online service always carries a small risk of the sensitive information being stolen. It should no longer be a distant boogeyman, but an accepted fact. It is the price paid for the convenience of the internet.

On the upside, accepting this fact actually is not as grim as it might seem. In real life, stores are robbed and crimes are committed every day and yet, the human civilization manages to carry on and live another day. Existing technologies may not be perfect, but like police or firemen, they often do a good enough job in stopping most of the incidents. Knowing what OpenSSL is and why it is needed will further help web business owners take the necessary steps to protect the information of its customers. They might still experience an occasional breach, but it will be less frequent and less serious than if such safeguarding technologies were not employed.

By Jakub Kasztalski

Sources
The Wire
Time
TechRadar
PCWorld

Your Thoughts?