Saturday, November 17, 2007

SSL - Is it secure? Yes, it is.

Often times people told me that SSL is a secure communication protocol. They thought about it in to ways, 1) all my data are encrypted and no hacker can get it, 2) the server knows who I am, so I am authenticated. Stop - wait a minute. First of all, SSL is a secure way to communicate. Secure from a point A to a point B. If SSL is used to secure HTTP connections then is A your Internet Browser and B is the HTTP daemon on the other end's web server. So it is not encrypted what your are typing in, and the data store on B is also not encrypted, at least not be the SSL communication. Okay, back to the communication between A and B. You know only the identity of the server, but how? Your DNS Server is directing you to the correct IP address and an official internet authority (e.g. GlobalSign) has issued a SSL server certificate for the server after checking certain criterias, which should proof the identity of the organization which is running the server. As far as you are using a trustworthy DNS, the internet authority did it job, noone has installed a "odd" Root CA into your browser and you are not getting SSL error message during you open the web site, the SSL connection is secure.
But still on the web server could an administrator or hacker copy data, or someone thinks she can sell your address data. So check at least the privacy statement on the website. Is something wrong, error on SSL connect or the privacy statement sounds wear, dont type in any personal information.

No comments: