PaulDotCom mailing list archives

SSL Encryption and HTML

From: macubergeek at comcast.net (Jim Kelly)
Date: Wed, 29 Oct 2008 05:18:51 -0400

see below
On Oct 28, 2008, at 8:54 PM, Paul Asadoorian wrote:

My thoughts on SSL:

1) Spoofing the Certificate - This is successful more often than not,
and since SSL is based on trust, well bad things can happen.  Remember
the security conference where they spoofed bogus certs and most  
people,
security people at that, accepted the invalid cert?  This is a major
weakness in the concept of SSL (not necessarily the encryption
implementation, which is good, just don't get caught using weak  
ciphers).


I agree ...but...
Lets say you use AD to force distribute client certs to all the users  
browser certs in your domain. I mean they get installed into the  
browser using either a login script or via GP. Lets further say you  
only allow IE on your network and you rigorously update everyone's IE  
and patch it etc. With the distributed cert you can at least be  
moderately assured that the clients are who they say they  
are...important if your comany uses web based applications, web SOA  
front-ends etc. The part of SSL everyone forgets is that of  
integrity....



2) Certificate Authorities - If you can own the cert authority, you
could make a big profit :)  Seriously, ever look at the CA's that are
trusted in your browser?  There are some shady places in there, and  
you
don't necessarily just trust them, you trust however has possession of
their keys...


You can use GPs to reduce the number of trusted CAs if you wish...but  
then you lose out on the integrity checking of some web sites on the  
Interweb.



3) Extended Verification Certs - Firefox just recently included this  
by
default in version 3, and I think its a good thing, and adds a layer
(albeit a small one) to the security of SSL.  I like to see the green
when I go to a web site (especially if its my bank ;)


Even better idea is what paypal is doing. For $5 you can get your own  
rsa token to be used with your pre-existing password!!!
groovy!!!

Jim



Cheers,
Paul

Cody Ray wrote:

Do you guys agree with the below statement?

Although the login does not occur on a secure HTML page, the login  
is,
in fact, secure. We have all been well trained on how to check for
security. We all look down at our status bar at the bottom of the
browser to make sure there is a little lock or key that assures us  
that
everything is secure before we send anything. Well now there's a new
rule to learn: data can be sent securely even if you don't see these
icons of security. When you fill out an information form, or
application, or login, etc. you are filling out information on one  
page
and the information is being sent to a second page. We see the  
security
icons when the page that collects the information is secure. The
information can be sent securely if the collection page is not  
secure,
but the page where the information is sent to is secure. This is the
method we use on home page logins. If you want to assure yourself  
that
the information you are sending is secure and you don't see a  
security
icon, you can view the HTML source code. This may be intimidating for
some, but all you have to do is search to find the word "action=."  
This
will show you the location of the page that the information will be  
sent
to. If you see "action='_https://?',_"; you know that it is being sent
securely. If you see "action='_http://',_"; you know it is not secure.


   Information Encryption

Your account information never travels the Internet without  
encryption
protection. When you click on "login", we encrypt your Online  
Banking ID
and password using Secure Sockets Layer (SSL) technology, the highest
level of Internet security available. A secure connection is  
established
before your ID and password are transmitted and maintained for the
duration of your Online Banking session.





------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/04e24ad2/attachment.htm

Current thread:

SSL Encryption and HTML Cody Ray (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)
  - SSL Encryption and HTML matt donovan (Oct 28)
    - SSL Encryption and HTML Nick Baronian (Oct 28)
- SSL Encryption and HTML Paul Asadoorian (Oct 28)
  - SSL Encryption and HTML James Costello (Oct 28)
    - SSL Encryption and HTML Raffi Jamgotchian (Oct 28)
  - SSL Encryption and HTML Oscar Koeroo (Oct 29)
    - SSL Encryption and HTML Paul Asadoorian (Oct 29)
  - SSL Encryption and HTML Jim Kelly (Oct 29)
- SSL Encryption and HTML Chris Frederick (Oct 29)
- <Possible follow-ups>
- SSL Encryption and HTML David A. Gershman (Oct 28)
  - SSL Encryption and HTML Ken Asher (Oct 28)