SSL is secure - isn't it?

Had a chat with the guys from a company that shall remain nameless at the Infosecurity Europe show this week, with the conversation centering around the firm's Web filtering technology for mid-to-large-sized companies.

The company has a number of extra services available for corporate users of its Web filtering technology. If a user starts a Secure Sockets Layer (SSL) session across the Web and the IT manager isn't sure whether the session is kosher, s/he can contact the firm for an instant analysis.

That analysis is made possible by the fact that the firm has a Broadcom system at its head office, with an onboard set of ASICs capable of decoding up to 400 SSL sessions in real time.

The Web filtering firm is at pains to to say that it would not decode an SSL data stream for its customers that involved a financial Web site, or anything that looking like it was personal and legitimate.

"If an employee is due to leave tomorrow and starts upload what appears to be the corporate database to an unknown Web site using SSL, then yes, we would decrypt the session for the company concerned," said a spokesperson.

I must confess I've suspected that the powers that be (NSA, MI5, MI6 etc) have had a real-time SSL decryption capability, but this the first time I've come across a commercial firm claiming to have the capability.

Am I alone in finding this deeply disturbing? Many online services, including some banks, rely on SSL as a means of securing the online session against eavesdropping.

I'm starting to realise why some banks are moving to digital certificates in the short term, and two-factor authentication devices in the mid-term, to protect their customers.

I've tried to verify the existence of a real-time SSL decryption system from Broadcom and other vendors. Surprisingly, whilst the vendors remain schtumm on the subject, the Web has a lot of information on the subject.

Although no-one is saying how the SSL decryption process works, I suspect it's a combination of sheer processing power, assisted by pattern recognition techniques.

If you think about it, most SSL-based sessions use a Web interface that uses a constant format. For example, an e-banking session will use a standard format that is specific to the bank concerned.

Coupled with the fact that any security keys for the SSL session are exchanged across the same data stream, a brute force program could work, since it has access to all available data...