Continued from page 1
Is
padlock real?
Although SSL padlock has been on bottom of screen for a while now, only most adventurous have tried doing things like clicking on it. If you did you might be in for a surprise.
The first thing is that you can’t tell if padlock is genuine. After all, anyone can write a padlock to that point on screen, it’s not a special protected area of some kind. So seeing padlock appear needn’t mean a secure connection is actually in place. If you do click on it you should see web site address for site of server that purchased certificate being used. You should compare this with web site address shown in your browser tool bar. It is important to read it carefully since you are one doing checking, there is nothing automated about comparison.
What needs to change?
Several things need to change before you should feel comfortable using SSL.
1) Getting enough functionality onto client system to be able to sign and encrypt actual data instead of trying to make secure connections to places you don’t know.
2) Providing clients with ability to check that certificates sent from servers are still genuine (check to see if they have been revoked) automatically. Then users can be sure that no man-in-the-middle can read information they send, and that server they are dealing with is for real.
3) The client needs an identity that can be authenticated by server (this does not have to mean that users need to go out and buy a certificate, server site may provide them with a suitable certificate as a separate process).
4) Automating this whole process so that user does not have to click on padlock icon to find out if security is real.
ArticSoft have over 30 years experience in the field of computer security, and 15 years experience of securing information on personal computers and messaging systems. Our CEO Steve Mathews, is one of the authors of BS7799 (now ISO/IEC 17799) and is well recognized in the security industry.
