Is Security Single Point of Failure

Huge infrastructure with multiple fail over clusters, mirroring SQL servers, load balanced IIS servers, hardware load balanced and SSL caches. The network has IDS´s, DDoS hardware, fail overs switches and routers, multiple internet providers backup lines. All traffic encrypted using SSL and full of IT Admins managing, maintaining, monitoring the environment. This environment costs millions of dollars each year.

If I would ask you where do you think the single point of failure is there, even if you have all the latest hardware and software, backup and security systems. Well I tell you the likely scenario is that the SSL is the single point of failure if you don´t have more than one SSL provider. It has happened before as you may know or not that one of the leading SSL providers out there made a mistake with the intermediate certificate which had the effect that multiple companies with websites could not sell their products online or service their customers. This failure probably cost companies millions or even billions of dollars those days. The SSL provider tried to fix this but was unable to so because of the client caching. Now a company with hundreds or even millions of customers is not going to be able to update the cache on all the clients, so the only option was to wait for four days until all the caches has refreshed on all clients. Imagine if your company would not been able to sell or provide service for four days what would happen. Hours or even days in downtime would be a huge impact on the lifeline on a company. The infrastructure was at it´s best but at this time IT Admins realized that SSL providers could be a single point of failure. There is an option to have multiple SSL certificates and user powershell or similar products to switch instantly to another provider.

But if we would take a deeper look at similar scenarios and what impact it could have. Now this scenarios are only theoretically ideas of mine but I have to bring them up to see if such scenarios could actually happen. Today we have something called IOT which means Internet of things, but before we continue lets define what IOT is. IOT is basically hardware that is connected to the internet, it might be a toaster, light bulbs, fridge, cars and even health equipment. Some hackers have been able to hack these devices so the hardware providers try to fix these problems. Lets say that these hardware providers create a SSL certificates for these devices so there would be more challenging to hack these devices. What would happen if an SSL provider would go down as happened before, what would happen with these devices.

  • A guy where driving at 70Mph and suddenly the car shuts down and breaks in the middle of the speedway. There is a lot of casualties when this happened. With further investigation it was a software problem based on SSL which meant that the car was unable to get data from the Car maker´s central information system. The car software AI thought that the car was being stolen so it shut down instantly.
  • A man with insulin hardware that would make his life easier, it would inject the insulin at the right time. The man was sent to a hospital and the cause was that the software in the device could not connect to the health care system to get updates on the insulin injections because the SSL provider made a mistake.

Now these two scenarios as I said before just theoretical ideas and has not happened before, not that I am aware of. At least I need to bring this up on how SSL providers need to be aware of if they cannot bring correct service to their customers.

So this ideas got me thinking what can we do, what are the alternatives to SSL and still get the same security. What are your thoughts ?

Trackback from your site.