Safe Internet Shopping with SSL – Or is it?
nternet Security layers are not what they seem
Isn't it great that we have SSL (Secure Socket Layer). Now we are saved from the ugly hand of fraud, now we are secure, we can do shopping online with a comfort that everything we do is encrypted! As long as you see a padlock on your browser, you can give your credit card details, talk about your personal problems, give all the confidential information about your financial affairs. This is the answer to all our problems! The holy Grail of secure Internet shopping! Or is it?
What is SSL?
Secure Socket Layer (and its latest update TLS, Transport Layer Security) was designed by the people who brought us the Netscape browser technology. Really it is a data transport protocol.
How does it work?
Internet merchants wanting to use the system get an SSL Certificate. The Certificate is data that has been digitally signed by a CA (Certification Authority, someone we are supposed to trust). Because it has been digitally signed by a trustworthy institution (CA) we are supposed to trust the data it contains. When you need to submit confidential information to the website (and you don’t intend anyone else to see it) you go to their secure web site. You can tell it’s secure because it has a slightly different start to the URL – ‘https’. Notice the "s" at the end of http, signifying "secure". This indicates that you have established an SSL session.
Also notice that you now have a padlock showing on bottom right of your browser signifying an SSL connection. Many users are not familiar with this padlock yet. It has taken the industry about 5 years to ‘educate’ us to associate secure connection with this little padlock!
What is it supposed to provide?
OK, now I see the padlock, what does it really mean? All it means is that you have an encrypted channel/link with that certificate owner.
So does this mean that the URL (web address) that I see in my browser bar is who I have a secure link with? NO! All it means is that you have an encrypted link with the certificate holder. There is no verifiable or trustable link between the padlock and what you see in your URL bar! Unless you double click on the padlock to view the details of the certificate and then compare it with what is being shown on the URL – which not many of us know about or are willing to go through.
What’s more, how do I know that the padlock I see is an authentic one? Well, you don’t – for all you know this could be faked by a simple piece of code in the website.
At the end of the day, the idea of SSL is a good one, but without verification technologies to allow the end user to easily verify the authenticity of a padlock or other icon it cannot be completely trusted as a secure connection.
Chief Security Architect – Comodo Group
The Comodo companies provide the infrastructure that is essential in enabling e-merchants, other Internet-connected companies, software companies, and individual consumers to interact and conduct business via the Internet safely and securely. The Comodo companies offer PKI SSL, Code Signing, Content Verification and Email Certificate; award winning PC Security software; Vulnerability Scanning services for PCI Compliance; secure e-mail and fax services.
Continual innovation, a core competence in PKI, and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo secures and authenticates online transactions and communications for over 200,000 business customers and 3,000,000 users of our desktop security products.
For additional information on Comodo – Creating Trust Online® visit Comodo.com
For more information, reporters and analysts may contact:
Office: +1 (888) 266-6361