Continued from page 1
My second concern was high emphasis on use of SSL, more commonly known as “the little lock in your web browser”. The Federal Trade Commission lists it first in their “Shop Online Safely” bulletin which, in my opinion, overemphasizes its weight.
Once upon a time, SSL certificates were expensive and there was a relevant vetting process involved in having one issued. This has created a false belief that an SSL certificates contribute to a website’s legitimacy. In reality, a SSL certificate can be had for as little as five dollars by anybody who has a telephone number. An expensive Thawte or a Verisign issued certificate provides no more or less security than their cheaper counterparts. In fact, they don’t provide any more security than a “bad” certificate either. An expired or un-trusted certificate is equally effective at encrypting data as a premium cert. Many security and IT professionals work with these “bad” certificates everyday with full confidence that they are serving purpose they need them to. SSL Encrypts Online Web Communications
----------------------------------
For most part, SSL serves one function only; it secures communication between your web browser and vendor’s web server at time your data is transmitted. In reality, even this isn’t necessarily true. I’ve recently become aware that some SSL implementations have option to set encryption cipher as “plain text”, meaning that in spite of presence of lock, no encryption actually takes place.
Conclusion
------------
In a nutshell, technology is not a substitute for due diligence. The presence of SSL should never be a weighing factor in deciding to purchase from a vendor, although lack of it should be an immediate red flag to take your business elsewhere.
About The Author
----------
Erich Heintz currently specializes in providing network and security solutions for small to medium businesses that frequently have to resolve the conflict of need versus budget. If you would like to know more about computer security please visit us at http://www.defendingthenet.com.