Isn't it great that we have SSL (Secure Socket Layer). Now we are saved from the ugly hand of fraud, now we are secure, we can do shopping online with a comfort that everything we do is encrypted! As long as you see a padlock on your browser, you can give your credit card details, talk about your personal problems, give all the confidential information about your financial affairs. This is the answer to all our problems! The holy Grail of secure Internet shopping! Or is it?
By Melih Abdulhayoglu, Chief Security Architect - Comodo Group
SSL is Secure Socket Layer (and its latest update TLS, Transport Layer Security) was designed by the people who brought us the Netscape browser technology. Really it is a data transport protocol.
Internet merchants wanting to use the system get an SSL Certificate. The Certificate is data that has been digitally signed by a CA (Certification Authority, someone we are supposed to trust). Because it has been digitally signed by a trustworthy institution (CA) we are supposed to trust the data it contains. When you need to submit confidential information to the website (and you don’t intend anyone else to see it) you go to their secure web site. You can tell it’s secure because it has a slightly different start to the URL – "HTTPS" or "https". Notice the "s" at the end of http, signifying "secure". This indicates that you have established an SSL session through https secured URL.
Also notice that you now have a padlock showing on bottom right of your
browser signifying an SSL connection. Many users are not familiar with
this padlock yet. It has taken the industry about 5 years to ‘educate’
us to associate secure connection with this little padlock!
OK, now I see the padlock, what does it really mean? All it means is that you have an encrypted channel/link with that certificate owner.
So does this mean that the URL (web address) that I see in my browser bar is who I have a secure link with? NO! All it means is that you have an encrypted link with the certificate holder. There is no verifiable or trustable link between the padlock and what you see in your URL bar! Unless you double click on the padlock to view the details of the SSL certificate and then compare it with what is being shown on the URL - which not many of us know about or are willing to go through.
What’s more, how do I know that the padlock I see is an authentic
one? Well, you don’t - for all you know this could be faked by a
simple piece of code in the website.
At the end of the day, the idea of SSL is a good one, but without verification technologies to allow the end user to easily verify the authenticity of a padlock or other icon it cannot be completely trusted as a secure connection.