SSL Still Mostly Misunderstood, Even By the Pros 292
An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"
As usual, no one wants to be the leader. (Score:5, Interesting)
The Wikipedia explanation of SSL [wikipedia.org] helps. This explanation [ssl.com] helps, also.
The Do It Yourself SSL Guide [webopedia.com] is useful.
MITM attack on browser downloads (Score:5, Interesting)
Admittedly this would be very hard to do, but theoretically possible and with the resources of a nation state this may have already been done. As most machines are now built in the far east, what would stop the IE that ships with your computer from also having altered CA keys?
Would it even be possible to detect this? You could use MD5 checksums on your downloads, but most of the websites that show an MD5 are unsecure, so they could easily be showing a manipulated version of the checksum.
This strikes me as one of the biggest flaws of our reliance on SSL v2, v3, whatever.
Please tell me that this isn't possible.
Re:MITM attack on browser downloads (Score:3, Interesting)
Re:SSL is trying to do too much. (Score:3, Interesting)
Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent.
You know, you hit that analogy perfectly, but apparently did not bother think about it.
A steel door on a tent is much better than no door on a tent.
Let me guess: You think locking a car or house is a waste of time, because any fool can break in via windows? You think it would be better if we couldn't lock our car or house, because locking it gives us a false sense of security?
Perhaps, you should maybe consider that those of us who want a little more security know exactly what we're asking for and what the weakness of it is, but think sometimes a small level of security is a better choice than none?
That maybe we think protecting web forum password from sniffers, and from man-in-the-middle attacks because it saved the cert when you went there the first time, might be a vaguely logical thing to do, and yet those thousands of forums are not going to purchase SSL certs?
Oh, and while we're at it, companies would no longer have to fuck around with self-signed certs for intranet sites.
We do expect average people to understand SSL (Score:3, Interesting)
"'People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know how to what SSL is and what it does"
Actually, everyone expects that grandpa nad grandma will understand SSL..if they want to do any secure transactions online.
Not matter how the browsers display certificates, unless people know what they are and why they are there then they won't be secure.
What percentage of people would call their bank to complain if they internet banking website didn't give an SSL certificate?
Browsers make a big deal about fake certificates, or self-signed certificates, but don't say anything when you go do an unencrypted site.
It's a terrible state of affairs, and until either secure transactions get eaiser or certificates are used widely enough that browsers can warn when a site isn't using one transactions of the average joe won't be secure at all.
- Jesse McNelis