SSL Security

Colin Law clanlaw at googlemail.com
Mon Jun 24 15:24:23 UTC 2013 

On 24 June 2013 15:53, Graham Todd <gct7photography at gmail.com> wrote:
> On Mon, 24 Jun 2013 13:44:18 +0200
> Patrick Asselman <iceblink at seti.nl> wrote:
>
>> On 2013-06-24 13:15, Graham Todd wrote:
>> > I have just come across this Webopedia
>> > (www.webopedia.com/TERM/S/SSL.html) entry:
>> >
>> > "SSL: Short for Secure Sockets Layer, a protocol developed by
>> > Netscape
>> > for transmitting private documents via the Internet. SSL uses a
>> > cryptographic system that uses two keys to encrypt data − a public
>> > key
>> > known to everyone and a private or secret key known only to the
>> > recipient of the message. Both Netscape Navigator and Internet
>> > Explorer
>> > support SSL, and many Web sites use the protocol to obtain
>> > confidential
>> > user information, such as credit card numbers. By convention, URLs
>> > that
>> > require an SSL connection start with https: instead of http"
>> >
>> > SSL is generally advised for use with browsers and web sites that
>> > support it, but as confidential information can be harvested
>> > (according
>> > to the Webopedia entry anyway), could anybody advise me on using SSL
>> > with my bank and similar sites and whether any alternative (and
>> > safe) should be considered.
>> >
>> > I generally use Tor as well when sending confidential information
>> > through emails or through webmail. As I understand it, my bank does
>> > not
>> > use OpenPGP and would not accept my public gnupg key for decrypting
>> > encrypted transmissions. Short of changing my bank, can anybody
>> > give me
>> > further advice on which extra measures I can take to be
>> > reasonably certain I can prevent sensitive information from being
>> > harvested, and the safest way of sending information by email and
>> > through websites?
>> >
>> > ++
>> >
>> > Graham Todd
>>
>> Graham,
>>
>> I think you are reading it wrong, the wording is a bit unfortunate.
>>
>> Where it says "many Web sites use the protocol to obtain confidential
>> user information, such as credit card numbers", you should read "many
>> Web sites use the protocol to exchange confidential user information,
>> such as credit card numbers, in a safe manner"
>>
>> The only risks of using SSL are:
>> * the user does not check whether the certificate is OK before
>> continuing
>> * the browser shows that the used certificate is OK but in reality
>> the certificate has been stolen and is being abused by a malicious
>> website to trick the user into a false sense of security
>>
>> If you are using the correct URL to access your bank, and your
>> browser shows that you are connected via a secure connection, you can
>> safely assume that the connection is OK.
>>
>> Best regards,
>> Patrick Asselman
>>
>
> Patrick,
>
> Thank you very much.  If that is the case, then the wording is
> unfortunate indeed. The phrase that worried me is:
>
> "many Web sites use the protocol (SSL) to obtain confidential
> user information, such as credit card numbers."
>
> I had always assumed that the situation is as you have described, and I
> had to read the entry three times before I understood what was being
> said.  Thanks again, as you have now made me feel less uncomfortable!
> However, my reading of the piece (admittedly only half of the Webopedia
> entry) is that "many web sites" do in fact obtain confidential
> information via the SSL protocol, so are the sites in question known,
> and is the use of SSL a preventative measure to their being able to
> obtain this information, even if I take the steps you advocate?

You are still misinterpreting it (and it is badly phrased).  The "many
web sites" referred to are the ones you connect to, such as your bank,
Utility provider, and so on.  When you connect to your bank web site
you type in your password and the web site "obtains" that password via
the SSL protocol.  The fact that is using SSL stops your
communications being interpreted by others between your PC and the
bank.  So the "many web sites" that obtain the confidential
information are the ones that you want to get the information, not
other websites.

Colin

>
> In other words can they get their hands on to this information and
> could they (unbeknown to me) pass it on to a third party?
>
>
>
> ++
>
> Graham Todd
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

More information about the ubuntu-users mailing list