An Overview of Secure Sockets Layer (SSL) Technology

SSL (Secure Sockets Layer) the most widely used and most powerful measure in security technology for creating an encrypted link between the Web Server web browsers. If the link is encrypted, they use https protocol. Secure receptacle Layer (SSL) and Transport Layer Security (TLS) is the protocol above TCP, which can protect user’s confidentiality when they sending data from a customer side to a web server; this is an important protocol due to the extension of Internet. In fact, it is a long way to make the SSL/TLS protocol fully. However there are still flaw and problems during the development of SSL/TLS, and we cannot deny that there maybe some other potential security hole in the latest version. sequential attack is fatal for both the user and the company in using these protocols to establish a safe channel to transfer information. This article will introduce three typical attacks: Cipher suite rollback attack, narration rollback attack and password exception in SSL/TLS channel.

Secure Sockets Layer (SSL) Technology

As the web and World Wide web become common, it is necessary to think about the system security. This can be because the plain text flowing through the web is unencrypted, it is for cracker or hacker, even a user with none programming information, to intercept the message and modify it. The way to defend personal privacy, and a way to guarantee a secure on-line commerce. These square measure the challenge for info Technology. SSL/TLS will created a legitimate secure channel between server and shopper which may code the plain text, then the third party who intercept the message can not disclose the first message without decrypt it.

The Secure Sockets Layer (SSL) could be a methodology for providing security for web primarily based applications. it is designed to create use of TCP to produce a reliable end-to-end secure service. SSL is not one protocol however rather two layers of protocols as illustrated It will be seen that one layer makes use of TCP directly. This layer is understood because the SSL Record Protocol and it provides basic security services to various higher layer protocols. an freelance protocol that creates use of the record protocol is that the hypertext language (HTTP) protocol. Another 3 higher level protocols that also create use of this layer are a part of the SSL stack. SSL include two phases: handshaking and information transfer. throughout the handshaking method, the consumer and server use a public-key encoding algorithm to work out secret key parameters, during the information transfer method, each side use the key to inscribe and decode successive information transmissions.

SSL (Secure Sockets Layer) is a technology to encrypt communications between the user and the web server. It helps to prevent hacker attacks that are based on eavesdropping. When you use a web page that is protected by SSL, you see a padlock icon that assures you that the page is secure.

The Secure Sockets Layer (SSL) Protocol was adopted by Netscape in 1994 as a response to the growing concern over Internet security. Netscape’s goal was to create an encrypted data path between a client and a server that was platform or OS agnostic. Netscape also embraced to take advantage of new encryption schemes such as the recent adoption of the Advanced Encryption Standard (AES), considered more secure than Data Encryption Standard (DES). Indeed, by June 2003, the US Government deemed AES secure enough to be used for classified information.

Is the web site really secure with SSL?

No. SSL secures the network communication link only. Although this is an important security layer for sensitive applications, most attacks on websites are not actually done this way. Most attacks on websites are actually done in one of the following ways:

  1. The server is attacked directly. SSL does not protect you from this. Rather, you need to have a good IT security policy to protect your server.
  2. The user is attacked directly, either by infecting their PC with malware, or by using “phishing” to steal their passwords. SSL does not protect you from this, either. To protect your own PC from this, you need to use a good anti-virus program, and use lots of common sense and a small amount of paranoia when on the Internet. However, it is unrealistic to expect that all the PCs of all of your website visitors will be adequately protected.

In other words, SSL does very little to prevent the website from being hacked. It only prevents 3rd parties from listening to communications between the user and the website.

In that case, when is SSL important to have?

If you are transmitting sensitive private data over the internet, SSL is an important additional security layer. Although eavesdropping may be a less common form of attack on the website, there is no reason not to protect against it if the consequences are serious.

Although the risk to the website may not be that great, the risk to individual users may be significant in some cases. For instance, any user accessing your website from a public wifi connection (such as at a coffee shop) can be eavesdropped on fairly easily by other users at the same location. Eavesdroppers can see what is typed into forms on non-SSL sites, so the risks will depend on what sorts of forms you have.

The most obvious high-risk form is your login form, which asks for username and password. An eavesdropper can potentially obtain these login credentials and then log in as that user. How risky or dangerous that is depends on what personal information the eavesdropper can obtain, or what harm they can cause with this information. Even if the risk is low with regards to your website, you should also consider that some users will re-use passwords on many websites, so the risk may extend to sites and situations that are beyond your control.

What kind of “sensitive private data” needs protection?

Private data is information that should only be known to you (the website owner) and the user. The most obvious example is credit card numbers. If you outsource your credit card processing to an external e-commerce gateway, the transactions are protected by your e-commerce provider’s SSL. Adding SSL on your website is not necessary in this case.

Passwords are the next most obvious thing to protect, as noted above. If you do not have a membership or public user base, then your own personal admin passwords may be the only ones you need to think about. If you do not do website administration from public wifi networks, then this is not a major concern.

Note that personal information such as names, email addresses, phone numbers, and mailing addresses are not private. This is information that is meant to be shared with others. SSL does not really protect information that is already publicly available in more accessible formats such as the phone book. However, you do need a good privacy policy when storing and using people’s personal information, to assure your users why you need their personal information, and what you intend to use it for. This is mostly because some organizations have a history of selling their databases of personal information against the wishes of their clients. SSL does not help with this, however.

There is a grey zone between private data (which should be known only to you and the user), and personal data (which is known and used by many others). Individual pieces of personal data may not be a big deal, but if you collect enough personal data, identity theft may become a plausible threat. Special account or identity numbers (SSN, SIN, drivers license, health care, or passport numbers for example), along with birth dates, common security questions (eg. mother’s maiden name, names of family members), and information of that nature may collectively comprise an identity that could be stolen for nefarious purposes. The more of this sort of information you collect, the more SSL might be a worthwhile addition to your security policy.

Leave a Reply

Your email address will not be published. Required fields are marked *