Why SSL is not enough to secure your credit card detailsWritten by ArticSoft
SSL (secure sockets layer) is security technology everyone uses to ensure that their web connections are secure. An SSL connection is symbolized by a padlock icon in right-hand side of taskbar and a URL that starts with Ďhttpsí, Ďsí standing for a secure http connection. What trust, however, should users associate with SSL?
SSL uses a method known as public key authentication in order to provide confidential link between server and client computer. This can be a very strong and effective method. It allows you to establish a strong confidential link between a server and a client without either knowing about other beforehand. And thatís where problems really begin.
Public key authentication works where each end of a connection can independently check that other end is real. Itís same idea as getting a cheque from someone you donít know and calling their bank to see if itís OK. Thatís why it doesnít really work. If it was going to work, server would have to be able to find out if client key really belonged to them or not Ė and it canít. In our bank example, itís like having a cheque without bank name on it or customer name bank knows you by so that you canít even ask question. In fact if that happened you probably wouldnít accept cheque!
As a result, server canít tell if a hacker has diverted you via their own site and is playing a Ďman-in-the-middleí attack where hacker gets to see all data going both ways. Usually server uses an identification that has been approved by one of companies whose information is stored inside your browser. Thatís why at client end it all seems fine. There is just minor problem that you canít actually tell if identity is still valid because thereís no way in current system to do that. Not surprisingly, there is nothing happening that allows server to link information arriving at it with actual user of client PC. It is always assumed that information comes from there but you canít prove it.
Does SSL protect you, or is it a condom that is open at both ends?Written by ArticSoft
For last five or so years, SSL has been paraded as technology that secures Internet. All you have to do is look and see padlock on bottom of screen and you can be sure itís safe.
Is it true?
SSL is a technology for providing a secure connection between two places. It provides secure links, or pipes between wherever it starts and wherever it stops.
What it does not do is actually secure any of data that passes through pipe, or really know where either end of pipe actually is. What you can be sure of is that anything put into one end of pipe is going to come out wherever other end is.
But surely data is fully protected? Yes, whilst data is in pipe it is protected. Now, assuming Ė and unfortunately thatís what we have to do Ė that you know for sure where each end of pipe is, and you are sure that each end is very secure, and you know for certain who is at each end, then youíre OK. If any of those is not true then you do have a problem.
My data is SSL protected between server, and me so why should I worry? Well no one at server end really knows whom data is from because they donít know what your identity is. They assume that data arriving through pipe is right, and that your identity can be presumed from data, not other way around. Unfortunately there are hacker attacks that divert your link through their own site, where they can pretend to each end that they are other entity without either end being wiser. (This is called a man-in-the-middle attack using web site spoofing.)