SSL Security

[Graham Todd]

On Mon, 24 Jun 2013 13:44:18 +0200
Patrick Asselman <iceblink at seti.nl> wrote:

> On 2013-06-24 13:15, Graham Todd wrote:
> > I have just come across this Webopedia
> > (www.webopedia.com/TERM/S/SSL.html) entry:
> >
> > "SSL: Short for Secure Sockets Layer, a protocol developed by 
> > Netscape
> > for transmitting private documents via the Internet. SSL uses a
> > cryptographic system that uses two keys to encrypt data − a public 
> > key
> > known to everyone and a private or secret key known only to the
> > recipient of the message. Both Netscape Navigator and Internet 
> > Explorer
> > support SSL, and many Web sites use the protocol to obtain 
> > confidential
> > user information, such as credit card numbers. By convention, URLs 
> > that
> > require an SSL connection start with https: instead of http"
> >
> > SSL is generally advised for use with browsers and web sites that
> > support it, but as confidential information can be harvested 
> > (according
> > to the Webopedia entry anyway), could anybody advise me on using SSL
> > with my bank and similar sites and whether any alternative (and
> > safe) should be considered.
> >
> > I generally use Tor as well when sending confidential information
> > through emails or through webmail. As I understand it, my bank does 
> > not
> > use OpenPGP and would not accept my public gnupg key for decrypting
> > encrypted transmissions. Short of changing my bank, can anybody
> > give me
> > further advice on which extra measures I can take to be
> > reasonably certain I can prevent sensitive information from being
> > harvested, and the safest way of sending information by email and
> > through websites?
> >
> > ++
> >
> > Graham Todd
> 
> Graham,
> 
> I think you are reading it wrong, the wording is a bit unfortunate.
> 
> Where it says "many Web sites use the protocol to obtain confidential 
> user information, such as credit card numbers", you should read "many 
> Web sites use the protocol to exchange confidential user information, 
> such as credit card numbers, in a safe manner"
> 
> The only risks of using SSL are:
> * the user does not check whether the certificate is OK before 
> continuing
> * the browser shows that the used certificate is OK but in reality
> the certificate has been stolen and is being abused by a malicious
> website to trick the user into a false sense of security
> 
> If you are using the correct URL to access your bank, and your
> browser shows that you are connected via a secure connection, you can
> safely assume that the connection is OK.
> 
> Best regards,
> Patrick Asselman
> 

Patrick,

Thank you very much.  If that is the case, then the wording is
unfortunate indeed. The phrase that worried me is:

"many Web sites use the protocol (SSL) to obtain confidential
user information, such as credit card numbers."

I had always assumed that the situation is as you have described, and I
had to read the entry three times before I understood what was being
said.  Thanks again, as you have now made me feel less uncomfortable!
However, my reading of the piece (admittedly only half of the Webopedia
entry) is that "many web sites" do in fact obtain confidential
information via the SSL protocol, so are the sites in question known,
and is the use of SSL a preventative measure to their being able to
obtain this information, even if I take the steps you advocate?

In other words can they get their hands on to this information and
could they (unbeknown to me) pass it on to a third party?



++ 

Graham Todd