Thursday, January 05, 2006

Web Security - Why SSL is not enough to protect Credit Card

I have been under the illusion that SSL is enough for Point to Point Security. 2 Articles from Monitoring Central have broken the illusion for good!

Does SSL protect you, or is it a condom that is open at both ends?
Read this article to understand the limitation that SSL does not really ensure the authenticity of both ends, automatically.

Excerpt:

What it does not do is actually secure any of the data that passes through the pipe, or really know where either end of the pipe actually is. What you can be sure of is that anything put into one end of the pipe is going to come out wherever the other end is.

But surely the data is fully protected? Yes, whilst the data is in the pipe it is protected. Now, assuming - and unfortunately that's what we have to do - that you know for sure where each end of the pipe is, and you are sure that each end is very secure, and you know for certain who is at each end, then you're OK. If any of those is not true then you do have a problem.

My data is SSL protected between the server, and me so why should I worry? Well no one at the server end really knows whom the data is from because they don't know what your identity is. They assume that data arriving through the pipe is right, and that your identity can be presumed from the data, not the other way around. Unfortunately there are hacker attacks that divert your link through their own site, where they can pretend to each end that they are the other entity without either end being the wiser. (This is called a man-in-the-middle attack using web site spoofing.)

Why SSL is not enough to secure your credit card details
There is no easy for Server to establish the identity of client and vice-versa. Sure, we do get padlock but most of the people would not bother to check the certificate if they are valid, genuine or fake.
Posted by at

1 comment:

Ashish said...

Well said... Spoofing or shall i say Identity Theft.. one of biggest crimes in US ( and it's also the biggest marketing gimmick from financial/banking institutions)...
How to make sure that you are really visiting www.chase.com or www.wamu.com or a free techie has created an exact replica of these sites.
So what should we do..? We all know that best way to avoid anything is abstinence...so don't make love if you want to avoid unwanted pregnancies.. but online banking/shopping is indulgence like sex. It makes you feel good.

Who wants to visit the store & checkout the stuff , if you can buy it online.. (Iam not talking about women over here :-)))

Whenever I visit any financial site, i double -click the padlock icon to make sure that it is valid & it is from the site Iam visiting. Can we do anything else to make sure that we are safe online. ? Let me know...

1:17 PM

Post a Comment

Subscribe to: Post Comments (Atom)