Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and in many cases not even then), use of encryption serves as nothing more than providing a false sense of security.
This is particularly true in the case SSL. SSL is probably the most deployed, least useful security technology since tin foil underwear. Gene Spafford (as usual) put it best years ago, and nothing has changed:
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”
Take a look through the various breach databases. Is there a single case where the breach could have been prevented by the use of transport level encryption? I have yet to find one.
But what about CA1386 and it’s brethren? Or PCI? They mandate encryption. PCI dropped the requirement with the move to 1.1 so clearly they didn’t see any real benefit of it. As for CA1386 and the like, although use of encryption does provide one with a get out of jail free card, all of the practical ways of applying encryption to online systems means that hacking the server means you have access to either the encryption keys or that the database is already decrypted for use.
Which brings us to data at rest. Encryption is only as good as the password/passphrase that protects the keys. Users are notoriously bad at selecting good passwords. This combined with the fact that the more popular disk encryption programs automatically decrypt the data for you on the basis of your login credentials (EFS, Bitlocker, FileVault, etc) so in many cases again one actually isn’t that well protected. On the plus side, tools like PGP, BitLocker and others are well suited for protecting data at rest when they are separated from their keys. Particularly USB drives and the like.
So when doing a risk assessment, please don’t assume something is secure because it uses encryption and please don’t assume that whatever issues there are can be fixed by adding encryption. After all it is just security theater.
[Edit: Corrected a typo. Thanks Gavin.]