View Single Post
Old 18th April 2011
nilsgecko's Avatar
nilsgecko nilsgecko is offline
Port Guard
 
Join Date: Apr 2011
Location: Chicago, USA
Posts: 45
Default Re: SSL

Quote:
Originally Posted by ai-danno View Post
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )

Here's a fun article about cracking SSL itself. I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another. This one is a more technical paper that describes the toughness of SSL.

I don't see where SSL would be considered insecure if properly implemented.
The biggest issue I would think is that it only authenticates from the Server
side, and doesn't authenticate the client. In other words, someone who can
gain access to your credentials (say online banking passwords etc) can
'authenticate' from anywhere since the session establishment is only one-way.

Also, as evidenced by the recent Comodo partner-hack, it can take some time before
a Certificate Authority finds out that a certificate has been issued by the
wrong hands....

SSL only works for TCP too, not UDP which as I understand it, things like VOIP
use.
Reply With Quote