Where are the strong? Who are the trusted?

The internet’s web of trust is a curious thing.

People receive attacks from odd places all the time. We receive emails with suspicious links, malicious messages on Facebook. Even legitimate webpages we surf to may have been compromised through their javascript, and can do all kinds of bad things to your computer.

When we log in to a site, however, we feel secure, because of TLS.

TLS is part of the “s” (for secure) that appears whenever you see “HTTPS:” in your browser’s address bar. It encrypts your data using an awfully good encryption scheme so no one can see your username or password, or your credit card number, when you do things online.

There are two parts to the whole equation, however. The encryption side of TLS is quite good (There was a small compromise found not long ago, but they’re fixing it now, and the part that caused the flaw was deativated in the meantime). The authentication side, however…

When you send data using TLS, it’s not just important to encrypt the data, but to know who you are sending it to. If you encrypt your credit card number, username, and password, and ship it straight to a hacker (who supplied half of the keypair, probably) all the encryption in the world will do you no good.

To get around this flaw, we use PKI. That’s where we trust a third party to verify who you are sending data to by giving them a certificate. It’s like an ID. The PKI company you have all probably heard of is Verisign.

I’m not here to impugn Verisign’s business. They are a quite well known company, and do an okay job.

If you bought a car on the internet for $10,000.00, and a hacker used a certificate from Verisign to get your information, Verisign would be liable (in certain circumstances, of course). They would refund you up to $100!

Yes, a benjamin. That’s their indemnity in the entire situation, according to their contracts. And they are one of the many certificate authorities out there.I’ve never heard of the vast majority of them. But they say I’m perfectly safe, and should give my info to the nice man behind the counter!

Now, I’m a paranoid in training (I’m going to school for network security), and I’m not trying to freak you out. The internet is a great place, and the vast majority of things on it are enriching, informative, and run by folks on the up-and-up.

But next time you hand over your info, just stop and think for a moment. And make sure your browser is in “HTTPS” mode. It’s the least you can do.

Hopefully someday the internet will lead to some harmony amongst us all, and we won’t have to worry about this crap. I’m not holding my breath, though.


~ by Benjamin Kenneally on March 9, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: