I've reported before about the limitations of SSL (Secure Sockets Layer - the little padlock that lights up when you buy something on-line and are typing in your credit card number). SSL is used extensively to secure Internet connections for on-line transactions. People assume they are safe during an SSL session.
Dan Kaminsky again gave a presentation on flaws in SSL at the recent Black hat and Defcon conferences. He has spoken about these issues many times over the past year. William Jackson comments on Dan's presentation and that of another security researcher in today's GCN: Digital certificate standard yields to hackers.
In greatly simplified layman's terms SSL uses cryptographic keys, or certificates, to secure your connection. GCN:
Digital certificates use public/private key pairs to sign and validate the IDs as a way to authenticate the identity of a person, machine or application online. Authentication is a necessary element of security.
Think of it as a "Shave and a Haircut" password at the mathematical level. Until DNSSEC is implemented we have no overall authentication of who is who on the Internet. But today we have a hodge-podge of outdated certificates, outdated algorithms used to generate keys, different implementations of standards, and unverified certificate issuers. As a result it is possible to fool this process and either put a "man in the middle" spying on the transaction and seeing all of the data, or to redirect you to the wrong site. In either case you are screwed.
The obvious and least costly solution, suggested by Kaminsky, is to use DNSSEC as an authenticated repository for SSL certificates. Without it on-line transactions lack essential security and present solutions are expensive and incomplete.
Great advice. I dont know how many times I have to tell people the very same things. Glad I’m not the only one.
Posted by: John | 09/08/2009 at 01:39 PM