SSL Security

Patrick Asselman iceblink at seti.nl
Mon Jun 24 11:44:18 UTC 2013 

On 2013-06-24 13:15, Graham Todd wrote:
> I have just come across this Webopedia
> (www.webopedia.com/TERM/S/SSL.html) entry:
>
> "SSL: Short for Secure Sockets Layer, a protocol developed by 
> Netscape
> for transmitting private documents via the Internet. SSL uses a
> cryptographic system that uses two keys to encrypt data − a public 
> key
> known to everyone and a private or secret key known only to the
> recipient of the message. Both Netscape Navigator and Internet 
> Explorer
> support SSL, and many Web sites use the protocol to obtain 
> confidential
> user information, such as credit card numbers. By convention, URLs 
> that
> require an SSL connection start with https: instead of http"
>
> SSL is generally advised for use with browsers and web sites that
> support it, but as confidential information can be harvested 
> (according
> to the Webopedia entry anyway), could anybody advise me on using SSL
> with my bank and similar sites and whether any alternative (and safe)
> should be considered.
>
> I generally use Tor as well when sending confidential information
> through emails or through webmail. As I understand it, my bank does 
> not
> use OpenPGP and would not accept my public gnupg key for decrypting
> encrypted transmissions. Short of changing my bank, can anybody give 
> me
> further advice on which extra measures I can take to be
> reasonably certain I can prevent sensitive information from being
> harvested, and the safest way of sending information by email and
> through websites?
>
> ++
>
> Graham Todd

Graham,

I think you are reading it wrong, the wording is a bit unfortunate.

Where it says "many Web sites use the protocol to obtain confidential 
user information, such as credit card numbers", you should read "many 
Web sites use the protocol to exchange confidential user information, 
such as credit card numbers, in a safe manner"

The only risks of using SSL are:
* the user does not check whether the certificate is OK before 
continuing
* the browser shows that the used certificate is OK but in reality the 
certificate has been stolen and is being abused by a malicious website 
to trick the user into a false sense of security

If you are using the correct URL to access your bank, and your browser 
shows that you are connected via a secure connection, you can safely 
assume that the connection is OK.

Best regards,
Patrick Asselman

More information about the ubuntu-users mailing list