07 Mar

How is SSL doing to protect communications?

How can I be sure that SSL protects me?

First, SSL uses an encryption system:

  • Asymmetric (like RSA or Diffie-Hellman). It is used to generate the master key that will generate session keys.
  • Symmetric (DES, 3DES, IDEA, RC4 …) using session keys to encrypt the data.

And a system of:

  • Cryptographic signature of messages (HMAC, using MD5, SHA …) to ensure messages are not corrupted.

It is during SSL negotiation that the client and the server choose common systems (asymmetric, symmetric encryption, signature and key length). In your browser, you can see the list of used systems by placing your cursor on the small padlock when you are in an HTTPS page.

What are the certificates for?

During an SSL negotiation, it is necessary to make sure of the identity of the person with whom one communicates. How can I be sure that the server you are talking to is the one he claims to be?

This is where the certificates come in. When you log on to a secure web server, it will send you a certificate containing the company name, address, and so on. It’s a kind of ID.

How to check the authenticity of this ID?

These are the PKI (Public Key Infrastructure), external companies (which you implicitly trust), who will verify the authenticity of the certificate. (The list of these PKIs is included in your browser, usually VeriSign, Thawte, etc.) These PKIs cryptographically sign the business certificates (and they get paid for that).

The use of SSL: HTTPS, SSH, FTPS, POPS …

  • HTTPS: it’s HTTP + SSL. This protocol is included in almost all browsers, and allows you (for example) to consult your bank accounts via the web in a secure way.
  • FTPS is an extension of File Transfer Protocol (FTP) using SSL.
  • SSH (Secure Shell): it’s a sort of secure telnet (or rlogin). This makes it possible to connect to a remote computer in a secure way and to have a command line. SSH has extensions to secure other protocols (FTP, POP3 or even X Windows).

It is also possible to secure protocols by creating SSL tunnels. Once the tunnel is created, you can pass any protocol in (SMTP, POP3, HTTP, NNTP …). All data exchanged are automatically encrypted. We can do this with tools like STunnel (http://www.stunnel.org) or SSH.

In fact, with the POP3 protocol that you usually use to read your mail, passwords and messages are transmitted in plain text over the Internet. On the other hand it is possible to steal your passwords and messages.

With the SSL tunnel, and without changing the client and server software, you can secure the recovery of your email: no one can steal your passwords or emails since everything that passes through the SSL tunnel is encrypted. But this requires installing STunnel on the client and on the server. Some service providers offer this service, but it is too rare. Ask your service provider if he has this kind of service in place. STunnel thus makes it possible to secure the majority of protocols based on TCP / IP without modifying the software. It is very easy to install.


So when I see the padlock, it’s secure?

It must be recognized that the padlock tells you that communications between your browser and the website are safe: no one can spy on them, and no one can tamper with communications. But it does not guarantee anything else!

In conclusion, To take an image:

HTTPS (the padlock) is a bit like an shielded van: It ensures the safety of transport. But really only transportation. The shieldedvan will not guarantee that the bank uses good safes and closes them well. The shielded van also does not guarantee that the bank does not do wrongdoing. The shielded van really only guarantees the transport. It’s the same thing for HTTPS (the little padlock of the browser). In the same way that mobsters can rent the services of an shielded van, pirates and mobsters can very well create a secure site (with the small padlock). Be vigilant, and do not confide any information on any website, padlock or not.


Source : sebsauvage