February 25th, 2003, 12:05 AM
SSL (False?) Security
I was reading recently about the security (or as the author put it, "false security") of SSL traffic, and I thought that I might share it with everyone in case they were not aware of it.
I get the impression that during E-Commerce transactions, people feel at more ease providing confidential info such as Credit Card Details etc when they see a "https://" or a little locked padlock in their browser.
But is this a false sense of security?
How often have you checked the certificate details when in an SSL session?
Sure, maybe your traffic is encrypted so that no one can sniff your details off the wire during transit, but who are you actually providing these details to, and is it who you think it should be?
Also, how securely is your confidential information stored?
When you provide a company these confidential details, you have no idea where these details are being stored, and how secure the server is, who has access to it etc...
Just some food for thought...
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
February 25th, 2003, 02:29 AM
Soggy's got a point there ppl are to trust worthy and I thought of it once or something similar
The fact is ppl don't they just go on blind faith but anyway good food for complation
February 25th, 2003, 11:22 AM
What can be a way around this ?
Maybe there has be like an ISI mark on websites which means their security is certifiable or something. hmm..
\"I have a 386 Pentium.\"
February 25th, 2003, 11:42 AM
The SSL certificate does not validate the trustworthyness of the target organisation. It *does*, however, name them and certify that they do exist, and are who they say they are. SSL certificates are difficult to forge (difficult = read cryptographically strong - you have to crack a key of at least 512 bits)
Therefore, while it won't stop you from getting ripped off, at least you'll know who you were ripped off by.
If you only do business with domestic companies and ones from other countries where similar laws apply, you then stand a reasonable chance of being able to sue them if they rip you off.
February 25th, 2003, 12:59 PM
slarty is right..
I never do bussiness outside of the European Union.
And never (again) with private persons.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
February 25th, 2003, 02:22 PM
SSL is a false sense of security. All an SSL connection does is secure the data while it is being sent from point A to B. Is does not offer any security for the data on the web server it's self.
Nearly all attacks on a web application that have exposed personal infomation, attack the web application it's self (SQL injection, XSS etc etc). All an SSL connection does in this case is to encrypt the attack, not stop it.
How many time have you been to a web site, logged in and then you are directed to an SSL connection? I've seen it quite a few times. So you send your password and user name in clear text, so what is the point of having an SSL connection in that case? The SSL connection should be in place before you login
Well to sum up, SSL connection is another tool in the box, that has to used correctly and in conjuction(sp?) with other security measures.
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"