Thursday, October 22, 2009

SSL (security socket layer)

SSL, what is that? Have you ever noticed while browsing the web, the 's' in https://etc.etc. When the s is sitting there, that means you are using an encrypted connection. So all data you send out to the web server is locked, and the website has the only key to unlock it. This is really nice when doing online banking, as you don't want anyone listening on your network trying to intercept your banking data. If a hacker is on your network, listening to all of your internet traffic, he wont be able to read the data when you are using SSL.

Well there exists a little vulnerability with all web browsers, that can make you think you are secure, while you're actually not. Sometimes a website wont give you the s at the end of the http until you go to login. You may think that's secure because your data is now being encrypted, but that damage has already been done when you visited the site without the s. A hacker can sit between you and the website, a man in the middle, and intercept all data between you and that website. When you first visit the website, you send the request to the hacker, who forwards it onto the website, who then responds back to the hacker, and the hacker forwards the response to you. So when you click that secure login, you actually tell the hacker you want the secure login, who then talks to the website and gets himself a secure login. He/she then spoofs a secure login back to you, so that you are thinking all of your data is being encrypted. But actually, it's as clear as day to the hacker.

So how do you stop a hacker from being the man in the middle? Well, if you had encrypted the data when you first visited the website, he would have never been able to spoof the secure login, and he'll be locked out completely.

Protect Yourself!

So my advice to you, when you visit a website, no matter what site it is, hand type that s at the end of http and press enter. Most websites support SSL, but you'll be surprised how many don't automatically load with it. Gmail doesn't use SSL unless you set in the options that you want it to. Another suggestion of mine to save you from hand typing that s in all the time, is to bookmark the page with the s in it. That way every time you click the bookmark, you automatically go to the page using SSL.

I implore that anyone reading this, whenever visiting a site that contains personal information, or takes a login and password. Especially when you are on a public hot spot, like star bucks. In one day, it has been possible to record as many as 1200 different pieces of personal information off of a public wifi. That was simply a person sitting with a computer running software, that listens to the net chatter. It could have been negated if people would be using the SSL.


Anonymous said...

Thanks a lot for the awareness chris!

Anonymous said...

hey thanks for the input