Why SSL is not enough to secure your credit card detailsWritten by ArticSoft
SSL (secure sockets layer) is security technology everyone uses to ensure that their web connections are secure. An SSL connection is symbolized by a padlock icon in right-hand side of taskbar and a URL that starts with ‘https’, ‘s’ standing for a secure http connection. What trust, however, should users associate with SSL?Confidentiality SSL uses a method known as public key authentication in order to provide confidential link between server and client computer. This can be a very strong and effective method. It allows you to establish a strong confidential link between a server and a client without either knowing about other beforehand. And that’s where problems really begin. Public key authentication works where each end of a connection can independently check that other end is real. It’s same idea as getting a cheque from someone you don’t know and calling their bank to see if it’s OK. That’s why it doesn’t really work. If it was going to work, server would have to be able to find out if client key really belonged to them or not – and it can’t. In our bank example, it’s like having a cheque without bank name on it or customer name bank knows you by so that you can’t even ask question. In fact if that happened you probably wouldn’t accept cheque! As a result, server can’t tell if a hacker has diverted you via their own site and is playing a ‘man-in-the-middle’ attack where hacker gets to see all data going both ways. Usually server uses an identification that has been approved by one of companies whose information is stored inside your browser. That’s why at client end it all seems fine. There is just minor problem that you can’t actually tell if identity is still valid because there’s no way in current system to do that. Not surprisingly, there is nothing happening that allows server to link information arriving at it with actual user of client PC. It is always assumed that information comes from there but you can’t prove it.
| | Does SSL protect you, or is it a condom that is open at both ends?Written by ArticSoft
For last five or so years, SSL has been paraded as technology that secures Internet. All you have to do is look and see padlock on bottom of screen and you can be sure it’s safe.Is it true? SSL is a technology for providing a secure connection between two places. It provides secure links, or pipes between wherever it starts and wherever it stops. What it does not do is actually secure any of data that passes through pipe, or really know where either end of pipe actually is. What you can be sure of is that anything put into one end of pipe is going to come out wherever other end is. But surely data is fully protected? Yes, whilst data is in pipe it is protected. Now, assuming – and unfortunately that’s what we have to do – that you know for sure where each end of pipe is, and you are sure that each end is very secure, and you know for certain who is at each end, then you’re OK. If any of those is not true then you do have a problem. My data is SSL protected between server, and me so why should I worry? Well no one at server end really knows whom data is from because they don’t know what your identity is. They assume that data arriving through pipe is right, and that your identity can be presumed from data, not other way around. Unfortunately there are hacker attacks that divert your link through their own site, where they can pretend to each end that they are other entity without either end being wiser. (This is called a man-in-the-middle attack using web site spoofing.)
|