SSL (secure sockets layer) is the security ... everyone uses to ensure that their web ... are secure. An SSL ... is ... by a padlock icon in the ... side of the tas
SSL (secure sockets layer) is the security technology everyone uses to ensure that their web connections are secure. An SSL connection is symbolized by a padlock icon in the right-hand side of the taskbar and a URL that starts with Ďhttpsí, the Ďsí standing for a secure http connection. What trust, however, should users associate with SSL?
SSL uses a method known as public key authentication in order to provide the confidential link between the server and the client computer. This can be a very strong and effective method. It allows you to establish a strong confidential link between a server and a client without either knowing about the other beforehand. And thatís where the problems really begin.
Public key authentication works where each end of a connection can independently check that the other end is real. Itís the same idea as getting a cheque from someone you donít know and calling their bank to see if itís OK. Thatís why it doesnít really work. If it was going to work, the server would have to be able to find out if the client key really belonged to them or not Ė and it canít. In our bank example, itís like having a cheque without the bank name on it or the customer name the bank knows you by so that you canít even ask the question. In fact if that happened you probably wouldnít accept the cheque!
As a result, the server canít tell if a hacker has diverted you via their own site and is playing a Ďman-in-the-middleí attack where the hacker gets to see all the data going both ways. Usually the server uses an identification that has been approved by one of the companies whose information is stored inside your browser. Thatís why at the client end it all seems fine. There is just the minor problem that you canít actually tell if the identity is still valid because thereís no way in the current system to do that. Not surprisingly, there is nothing happening that allows the server to link the information arriving at it with the actual user of the client PC. It is always assumed that the information comes from there but you canít prove it.
Is the padlock real?
Although the SSL padlock has been on the bottom of the screen for a while now, only the most adventurous have tried doing things like clicking on it. If you did you might be in for a surprise.
The first thing is that you canít tell if the padlock is genuine. After all, anyone can write a padlock to that point on the screen, itís not a special protected area of some kind. So seeing the padlock appear neednít mean a secure connection is actually in place. If you do click on it you should see the web site address for the site of the server that purchased the certificate being used. You should compare this with the web site address shown in your browser tool bar. It is important to read it carefully since you are the one doing the checking, there is nothing automated about the comparison.
What needs to change?
Several things need to change before you should feel comfortable using SSL.
1) Getting enough functionality onto the client system to be able to sign and encrypt actual data instead of trying to make secure connections to places you donít know.
2) Providing clients with the ability to check that certificates sent from servers are still genuine (check to see if they have been revoked) automatically. Then users can be sure that no man-in-the-middle can read the information they send, and that the server they are dealing with is for real.
3) The client needs an identity that can be authenticated by the server (this does not have to mean that users need to go out and buy a certificate, the server site may provide them with a suitable certificate as a separate process).
4) Automating this whole process so that the user does not have to click on the padlock icon to find out if the security is real.
ArticSoft have over 30 years experience in the field of computer security, and 15 years experience of securing information on personal computers and messaging systems. Our CEO Steve Mathews, is one of the authors of BS7799 (now ISO/IEC 17799) and is well recognized in the security industry.