You may reprint or publish this article free of charge as
long as the bylines are included.
Original URL (The Web version of the article)
---------------------------------------
href="http://www.defendingthenet.com/NewsLetters/Vote
NoConfidenceInSSL.htm" target=_blank>
Vote "No Confidence" In SSL
Title
-----
Vote "No Confidence" In SSL
SSL Encryption - My Mother Was Hacked?
-----------------------------------
I received a frantic email a week or so back from my mother.
While this wasn’t unusual, this wasn’t the typical motherly
report of which sibling did what stupid thing. She’d been
hacked, or so she claimed. While I found it unlikely that
she was hacked in any manner that I define the word, my
curiosity was piqued so I gave her a call to find out
exactly what happened.
Electronic Debit Card Theft
--------------------------
As it turns out, someone had filched her debit card number
and was using an ISP in the former Soviet Union to sign up
for several “singles” websites. Unfortunately, the way she
found out was discovering a negative balance in her checking
account. To her credit, she had already contacted her bank
and had the card frozen. She had also contacted the websites
involved and was in the process of resolving the debts with
them.
Knowing the details, I was comfortable that my mother hadn’t
been hacked, but someone with whom she has done business
with had their customer data compromised in some way. Not
wanting to ignore my familial and professional
responsibilities, I gave her computer a once over. It came
up clean with the exception of the typical doubleclick and
adserver cookies. Taking it a step further I decided to dig
up a couple of “Tips for secure web surfing” links for her
perusal.
Debit Cards, A Direct Link To Your Money
-------------------------------------
I have to admit I was somewhat disappointed in the results
of my search. While there was plenty of good advice
available there were two things I found troublesome. The
first was while most sites highly recommended using credit
cards exclusively for online purchases; only one site
stressed the danger of using debit cards. A debit card is a
direct link into your checking or savings account. Unlike a
credit card, where a fraudulent charge can be disputed and
the issuer will place a hold on the debt, once you reach the
point of disputing a debit card transaction, the money is
already gone.
My second concern was the high emphasis on the use of SSL,
more commonly known as “the little lock in your web
browser”. The Federal Trade Commission lists it first in
their “Shop Online Safely” bulletin which, in my opinion,
overemphasizes its weight.
Once upon a time, SSL certificates were expensive and there
was a relevant vetting process involved in having one
issued. This has created a false belief that an SSL
certificates contribute to a website’s legitimacy. In
reality, a SSL certificate can be had for as little as five
dollars by anybody who has a telephone number. An expensive
Thawte or a Verisign issued certificate provides no more or
less security than their cheaper counterparts. In fact, they
don’t provide any more security than a “bad” certificate
either. An expired or un-trusted certificate is equally
effective at encrypting data as a premium cert. Many
security and IT professionals work with these “bad”
certificates everyday with full confidence that they are
serving the purpose they need them to.
SSL Encrypts Online Web Communications
----------------------------------
For the most part, SSL serves one function only; it secures
the communication between your web browser and the vendor’s
web server at the time your data is transmitted. In reality,
even this isn’t necessarily true. I’ve recently become aware
that some SSL implementations have the option to set the
encryption cipher as “plain text”, meaning that in spite of
the presence of the lock, no encryption actually takes
place.
Conclusion
------------
In a nutshell, technology is not a substitute for due
diligence. The presence of SSL should never be a weighing
factor in deciding to purchase from a vendor, although the
lack of it should be an immediate red flag to take your
business elsewhere.
About the Author
About The Author
----------
Erich Heintz currently specializes in providing network and
security solutions for small to medium businesses that
frequently have to resolve the conflict of need versus
budget. If you would like to know more about
computer security please visit us at
http://www.defendingthenet.com.
Vote "No Confidence" In SSL