On Broken SSL’s And More

Seems that there has been some rumbling that SSL encryption has been broken recently, which is quite interesting and would be a major threat to things we are all just starting to take for granted such as online shopping and banking, privacy and other important issues that people take for granted. For those who don’t know what SSL is, it is that ‘little padlock thing’ in your browser that you’ve always been told means that the website you are visiting is secure.

Now this is scary stuff and a true break of the SSL encryption routines would be a tragedy, but that isn’t quite what has happened here. What we have here is a trojan that uses “pharming” (targeted hacks looking for specific things, in this case connections being made to online banks).

The recent fuss revolves around a targeted hack attack using a particular trojan that sits between you in front of your computer and the data you send to secure website, and in this position it can intercept and monitor your traffic without having to actually “break” your encryption. Note that this is a very simplified “layman’s terms” explanation of what happens, technical explanation here.

So where does this leave us? It is perhaps worth recapping what SSL is and what SSL isn’t at this point: Some people attribute that ‘little padlock thing’ with super powers that guarantee that nothing can go wrong with their transaction and that just isn’t true. SSL is a way of providing a secure and encrypted ‘tunnel’ between a web server and a web browser on the Internet.

ssl-cloud-services-backupThink of SSL like your local mail posting service offering a guarantee that certain letters can be sent to and from certain destinations securely. That is all SSL offers – it is a very important offering to be sure, but it only guarantees part of your security.

A SSL connection doesn’t know about the fact that your computer has a trojan on it, generating a SSL proxy performing a Man In The Middle attack. It only provides secure communications between two points and can’t know that someone is reading your secrets over your shoulder before you send them, so to speak.

A SSL connection can verify that the tunnel goes to the correct web server, which is great, but what if the correct web server has been hacked? Again, an unauthorised person reading your secrets over the shoulder of the person that you are talking to isn’t the fault of the post office.

SSL cannot tell you if the secure connection goes to the correct web server and it hasn’t been hacked, but the data is stored insecurely at the web server because the business you are dealing with is staffed by idiots. It isn’t the fault of the post office if the person who receives your secret mail tapes a copy to their window for every passer-by to read.

Comments Off on On Broken SSL’s And More