Home Misconceptions with SSL security

Misconceptions with SSL security

SSL security is supposed to give a 'secure' connection to a website but there's an inherent problem with the way that SSL is done. There are two parts to security.

  • A secure connection - when sending data between two computers a secure connection ensures that the data stream is secure from point A to point B. (Armoured car)
  • A secure identity - when communicating with a website a secure identity can tell you that the person you're communicating with is who they say they are. (A registered identify and address)

A simple analogy would be an armoured car is your secure connection getting your data between places and the registered address ensures that the data is traveling between the right locations. That's the theory...

An SSL certificate allows you to have a secure connection and at the same time ensures that your address is correct. This in theory isn't a bad thing but the problem is that SSL does a good job of securing your connection but it does a much worse job of ensuring your identity. Anyone can purchase an SSL certificate for between $10-$400 a year. Secondly users don't pay much attention to the identify and very little to the address. This means that the ID info isn't that important, you really just want the armoured truck for the secure connection.

Imagine a large website with 100 servers. Each server is numbered and each connection has it's own address. www1.example.com www2.example.com and so on. Each one of these seperate sites needs it's own certificate. At up to $400 each per year the certificate over a couple years can end up costing more than the computer.

Unfortunately you are not allowed to use the armored car (secure connection) without a notarized address (signed certificate). If you want to move data securely between two computers your web-browser won't let you do it. You could try to notarize the address yourself, this is called self-signed certificate but web-browsers don't let you do that either.

This is bad because it forces many web developers to choose between spending between hundreds of dollars or using no security at all. The vast majority of sites don't use any security. Only banks and shopping sites take this more seriously and even on these sites the certificates can cause problems. Try this... type https://yourbank.com  (notice I left out the typical www's).  Chances are you'll get an error message. Bankofamerica, CitizensBank, CitiBank, Etrade, Charles Schwab and countless others forget to buy a certificate for some parts of their website.  As far as SSL certificates are concerned each address is totally differen. www.bankofamerica.com is totally different from bankofamerica.com.   Yeah, this is dumb.

When you open a web-browser for the very first time and you enter your very first search into a search engine the browser shows you a warning about the fact that you are sending clear text across the internet. You get this message once and you forget about it but every day you may be sending thousands of personal bits of data out in the open across the internet.

From trivial gossip, passwords, secrets, bank cards and all sorts of other private information. If self signed certificates were allowed many of this information could be sent securely. It wouldn't prevent every possible attack (you still want to use signed SSL in some cases) but for casual everyday use, email and basic browsing using self-signed SSL communication could prevent a lot of data and identity theft.

This post is licensed under CC BY 4.0 by the author.