Re: Re: Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions

The point about using SSL is that the traffic between your browser and the website is encrypted to minimise the risk of the content being intercepted on route. SSL does not solve any issues relating to storage or handling of the data at either end of the connection.

I am using a corporate network and access the internet via a web proxy. This is a situation that is not unlike being in a internet cafe or using a public wi-fi hotspot. There are people sat all around me using computers to do their work, book flights, buy concert tickets and pay their bills. I therefore could expect to have to 50+ users worth of traffic without leaving my desk. In a non-SSL world, I would probably only need to gather logon traffic for one day to get the passwords etc. and use the information for illicit purposes.

Security starts at home!

inman

Comment on Re: Re: Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions

Replies are listed 'Best First'.
Re: Re: Re: Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions by hardburn (Abbot) on Nov 10, 2003 at 16:23 UTC
I am using a corporate network and access the internet via a web proxy. Computers that you don't personally own, or do not fully control physical access to, should be considered inheirently untrustworthy. Even with SSL, any network or system admin could probably easily get physical access to any computer in the building and install a keystroke logger. That goes for Internet cafes, too. Putting your CC num into such a machine is reckless. The security problems of wi-fi networks are well-established. This is one of the few areas where SSL is quite benificial. I'm not saying SSL is completely useless, just that if we got rid of SSL completely, the security of the entire system wouldn't drop as dramatically as most people think. ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Re: Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions
by hardburn (Abbot) on Nov 10, 2003 at 16:23 UTC

I am using a corporate network and access the internet via a web proxy.

Computers that you don't personally own, or do not fully control physical access to, should be considered inheirently untrustworthy. Even with SSL, any network or system admin could probably easily get physical access to any computer in the building and install a keystroke logger. That goes for Internet cafes, too. Putting your CC num into such a machine is reckless.

The security problems of wi-fi networks are well-established. This is one of the few areas where SSL is quite benificial.

I'm not saying SSL is completely useless, just that if we got rid of SSL completely, the security of the entire system wouldn't drop as dramatically as most people think.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

[reply]
[d/l]