How does https and SSL keep my information safe?Hey Dave! How does secure SSL actually work and if all these sites are using this much vaunted https/SSL security, how come they still get customer data ripped off? We really need to take a look at this question as two partially related questions. First we’ll look at SSL and how the technology itself works and why it is considered to be secure. Then we’ll look at a couple of cases of customer data theft and see where the data really went and did SSL have anything to do with it? SSL is an acronym for Secure Sockets Layer 3.0 which has been replaced recently by Transport Layer Security (TLS) 1.1 and you can read all the glorious Technicolor details by reviewing the RFC 4346 (Request For Comments) document over at the Internet Engineering Task Force. But let’s just talk about it as if we were humans, shall we? SSL and TLS are ways that we can be assured of who we are communicating with (endpoint authentication) and hiding that communication from the outside world. TLS also prevents others from injecting new messages into our conversations and from changing messages from either party. Endpoint authentication is typically only performed for the server side of the conversation. We just want to make sure that we really are on our bank’s web site and not some phony. The bank is not concerned enough about authenticating us as we’ll do that with our account number and other information like that. There are dual authentication applications where they want to make sure we are only on a certain PC or IP address etc. but those are pretty much James Bond 007 circumstances. When we go to a web site that starts with https:// that tells the browser to use port 443 instead of the normal http:// port of 80. A secure conversation starts with a handshake between us and the server as we decide which encryption protocol we both understand and trade some key information that confirms who is who by the use of Certificates. Certificate Authorities guarantee to us that they have done all they can to confirm that someone handing out this certificate is who they say they are. Look in your IE browser at Tools -> Internet Options -> Content -> Publishers -> Trusted Root Certification Authorities (Figure 1) to see who your browser trusts.  Our browser looks up the certificate and the Trusted Root that created it to see if the certificate is really any good. When we determine that it is we will continue with the conversation and you see the little padlock close on your browser, Figure 2.  What does all this have to do with companies losing private data? Not much. The data thefts that we keep reading about are not due to SSL or TLS failing. They are primarily from people failing to follow basic protection policies, or of companies not having those policies in place at all. When the Veterans Administration lost 26 million records of service men and women it was because an analyst had taken a laptop containing the information home (the analyst claims that he had specific approval to do so, but that’s a different post). The PC was then stolen by local burglars that fortunately never did know what they really had in their possession. The laptop was eventually recovered and there has not been any evidence that the personal data was used to impersonate anyone. Information Week recently reported that TJX Co., the parent of TJ Maxx finally told the SEC that they lost control of over 45 million records of customers over a several year period. There is some evidence surfacing that the original breach may have been due to an unsecured wireless network. These lost records HAVE been used in Florida to create credit cards used to buy Wal*Mart and Sam’s Club gift cards which are then used at the stores. So you can see that SSL or TLS is not responsible for these thefts, unsecured back-end systems are where the information is being lost. The only way to protect yourself from becoming a victim of ID Theft is to be vigilant about watching your credit card statements and balances and checking your credit report periodically. Go to AnnualCreditReport.com, the official site created by the big three credit reporting agencies to provide you with your required free annual credit report. This article was contributed by network security consultant Tim Heagarty, CISA, CISSP, MCSE. He's based in Lexington, KY and you can contact Tim at heagarty.com/tim.
Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Simpy.
Categorized:
Computer and Internet Basics
(Article 7393)
Tagged: https, identity theft, online security, ssl Previous: How do I block incoming AIM IM messages from strangers? Next: Why can't I Enable Google AdSense on my Website Pages? Subscribe!
Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader. This is some excellent information about ssl/tls. So know that we know that the ssl/tls certificate confirms security of the information when it is being sent from the server to the computer what is the best method for confirming the back end security of a site. Would you say that the best way for a consumer to confirm their information is safe after arrives at the server is to have a hacker safe logo? There really should be a method or standard for the industry have a storage certificate as well to further protect consumers. Dave Thank you for being on top of this kinda stuff ! Question: somehow my Settings have changed and i can't Dave and Mike, There is, unfortunately, no good way to be completely safe and secure with your personal information. If you check out the "hacker safe" logo sites they give you more information about where to put the logo so that the customer sees it to increase sales than they give about security. They are primarily only performing port and application scanning which does very little or nothing to assure your information will be safe once in the company's hands. The only way to be safe with your information is not to give it out. Take a look at this news article on CNET http://news.com.com/2100-1017-245428.html about American Express's new one time card. They will give you a card number to use for a single transaction which cannot be used beyond that transaction. SSL and other protocols are "probably" not behind not being able to log onto Yahoo.com. Clear your browser cache first to get out the cobwebs and try again. Posted by: Tim Heagarty at May 28, 2007 11:09 PMI have a lot to say, but ...
I do have a comment, now that you mention it!
|
Search
Find just the answers you seek from among our 1700+ free tech support articles by using our Lijit search engine.
Help!
Subscribe to
Ask Dave Taylor! 
Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.
Articles and Reviews
Auctions and Online Shopping Blogs and RSS Feeds Building Web site traffic Business and Management Cell Phones and Mobile Phones CGI Scripts and Web Site Programming Computer and Internet Basics d) None of the Above HTML and CSS Mac OS X Help MySpace, Facebook, Twitter and Social Network Help Pay Per Click (PPC) Search Engine Optimization Shell Script Programming Sony PSP, MP3 Players, Etc. The Writing Business Unix and Linux Help Video Game Tips and Help Windows Help
Recent Entries
Join the List!
Book Links
|
Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.
![[whiteboard marker tray]](/Graphics/marker-tray.gif){kind=small}
