Site Security: Does SSL protect you, or is it a condom that is open at both ends?

Does SSL protect you, or is it a condom that is open at both ends?

Written by ArticSoft

For repparttar

last five or so years, SSL has been paraded as repparttar 132030

technology that secures repparttar 132031

Internet. All you have to do is look and see repparttar 132032

padlock on repparttar 132033

bottom of

screen and you can be sure it’s safe.

Is it true?

SSL is a technology for providing a secure connection between two places. It provides secure links, or pipes between wherever it starts and wherever it stops.

What it does not do is actually secure any of repparttar 132035 data that passes through repparttar 132036 pipe, or really know where either end of repparttar 132037 pipe actually is. What you can be sure of is that anything put into one end of repparttar 132038 pipe is going to come out wherever repparttar 132039 other end is.

But surely repparttar 132040 data is fully protected? Yes, whilst repparttar 132041 data is in repparttar 132042 pipe it is protected. Now, assuming – and unfortunately that’s what we have to do – that you know for sure where each end of repparttar 132043 pipe is, and you are sure that each end is very secure, and you know for certain who is at each end, then you’re OK. If any of those is not true then you do have a problem.

My data is SSL protected between repparttar 132044 server, and me so why should I worry? Well no one at repparttar 132045 server end really knows whom repparttar 132046 data is from because they don’t know what your identity is. They assume that data arriving through repparttar 132047 pipe is right, and that your identity can be presumed from repparttar 132048 data, not repparttar 132049 other way around. Unfortunately there are hacker attacks that divert your link through their own site, where they can pretend to each end that they are repparttar 132050 other entity without either end being repparttar 132051 wiser. (This is called a man-in-the-middle attack using web site spoofing.)

The Problems with Secure Email

Written by ArticSoft

The ideal system that everyone is searching for – repparttar

silver bullet, is to have top security automatically regardless of who you are sending to and what product(s) they happen to be using. The reality is that many e-mail packages are not themselves secure, and do not interoperate cleanly with anything but their own products.

For repparttar 132029 time being you are better off keeping your security outside of your e-mail or word processing package, and exchanging attachments that are fully protected and not relying upon any of repparttar 132030 different systems that people are using. That way you increase repparttar 132031 security of repparttar 132032 result and do not have to rely on complex interactions between proprietary systems.

It may not be as elegant, but it will take you a lot further than relying on a specific e-mail service and will give you, for repparttar 132033 time being, a much more secure result.

Introduction

For repparttar 132034 last ten years or so we have become increasingly reliant on e-mail. It is ubiquitous, and unlike real mail it can chase us from continent to continent in seconds. For better or worse we now have repparttar 132035 ability to conduct repparttar 132036 next worst thing to conversation, but in writing.

Of course, and despite all repparttar 132037 advice, we treat this ability as if it were repparttar 132038 same as personal conversation. Private. Off repparttar 132039 record. We also assume that no-one else is going to be able to read it, and that it can’t ever get into repparttar 132040 wrong hands.

Slowly but surely we are finding out, repparttar 132041 hard way, that, as in repparttar 132042 words of repparttar 132043 song, “It ain’t necessarily so.” What we are doing is like sending picture postcards through repparttar 132044 mail. It appears that everyone from our e-mail administrator to half repparttar 132045 hacking community can pick up what we are doing, even off repparttar 132046 internal network.

Enter repparttar 132047 answer – secure e-mail (Se-mail?). Run it just like ordinary mail but click on repparttar 132048 secure button and you’re done. Shangri-La! But is it for real or is it yet another of repparttar 132049 IT pipe dreams?

Silver Bullet Syndrome

This is not a new disease. Far from it. This is a regular epidemic every time someone goes near repparttar 132050 IT security allergy. Somehow or other it seems obvious to anyone that repparttar 132051 immense complexity of repparttar 132052 computer can be made safe and secure by a single act (the laying on of hands perhaps?). Despite repparttar 132053 fact that every day experience teaches us how difficult it is to get a computer to anything without us making a significant contribution, security is supposed to happen without any thought or planning (even less than putting something in a brown envelope rather than a see-through folder).

Manufacturers have been quick to recognize two things. The first has been that they need to service their customers more so that they can charge more. The second is that despite all repparttar 132054 claims about standards in security, repparttar 132055 cold hard reality is that there are hardly any.

What, no standards?

Well, almost none. We have S/MIME (version 2 or 3?) to sort out how you might sign and encrypt streams going from one e-mail client to another. That’s fine except that you need ‘PKI’ standards sitting behind S/MIME to make it useful, and there seem to be more of those than you can shake a stick at. This is a case where there are so many different standards (and even more interpretations of them) that in effect you have no standards.

If you want to think about standards in terms of manufacturer’s products (after all, dominant suppliers and monopolies set standards of a kind) then repparttar 132056 picture is more like this. We have Outlook Express and Outlook (not repparttar 132057 same thing even if they are from repparttar 132058 same stable) and HotMail. To that we must add Eudora, Lotus Notes and AOL (Compuserve). We have an increasing number of web-mail products such as Yahoo and Lycos, just in case repparttar 132059 others weren’t enough. And we haven’t yet begun to mention all repparttar 132060 various brands of ‘secure’ mail that exist, including PGP. Can you believe that all of these interoperate smoothly and seamlessly with each other?

So we can conclude that standards are not yet in a position to help us.

Our objectives

Somewhere in repparttar 132061 security debate, you lose, as we seem in danger of doing, sight of what your objective actually is because repparttar 132062 technology debate is so much more confusing.

The objective for repparttar 132063 user might be summarized as follows (borrowing from repparttar 132064 paper world):

- to be certain what they send goes to repparttar 132065 right person/place; - to be certain that repparttar 132066 right person/place can read repparttar 132067 information; - to be able to use signed information as proof to a court or other body; - to stop repparttar 132068 wrong people from reading personal and private information.

Some of these wishes are more difficult than others. Just as in repparttar 132069 paper world, you can’t stop anyone seeing repparttar 132070 address on repparttar 132071 outside of a letter, repparttar 132072 same is true of e-mail. If someone alters that address, it doesn’t go to repparttar 132073 right place, and if someone alters repparttar 132074 return address (in many countries it is written on repparttar 132075 back of repparttar 132076 envelope) repparttar 132077 recipient may not know where it has come from or it may not, if delivery fails, be returned to repparttar 132078 correct sender.

Cont'd on page 2 ==>