Web Security - welcome to my world

markem · 04-06-2011, 01:05 PM

Here is a link to an article that does an acceptable job highlighting what is the Achilles heel for secure web access (urls that include 'https', where the 's' is about security).

http://www.nytimes.com/2011/04/07/te....html?_r=1&hpw

Last fall, I taught a class on how the SSL/TLS protocols work. These protocols are what are in use with 'https'. The idea that you find out about someone's security key by getting a certificate from some place that you trust is a concept called a web of trust (for the truly geeky, google "Merkle's Tree Authentication"). Note that the protocols themselves can be absolutely secure, but if the information in the certificate is fraudulent, you get no security benefit from using that information.

The gist of it all is that security within your web browser only works when everyone plays nice. Fortunately, at this time, everyone plays nice a majority of the time. There isn't a better scheme in place and the present system is so pervasive that, in my opinion, until the fundamental protocols are broken (not likely) the system will remain in place. However, look for more controls on how certificates are added to your browser and perhaps perhaps some mechanism for auditing their validity better at the source.

Comodo is not the first major player to have this happen to, just the one that is being written about.

04-06-2011, 01:05 PM	#1
markem Bunion Join Date: Oct 2008 First Name: Mark Location: Second Star on the Right Posts: 22,625 Trading: (47)	Web Security - welcome to my world Here is a link to an article that does an acceptable job highlighting what is the Achilles heel for secure web access (urls that include 'https', where the 's' is about security). http://www.nytimes.com/2011/04/07/te....html?_r=1&hpw Last fall, I taught a class on how the SSL/TLS protocols work. These protocols are what are in use with 'https'. The idea that you find out about someone's security key by getting a certificate from some place that you trust is a concept called a web of trust (for the truly geeky, google "Merkle's Tree Authentication"). Note that the protocols themselves can be absolutely secure, but if the information in the certificate is fraudulent, you get no security benefit from using that information. The gist of it all is that security within your web browser only works when everyone plays nice. Fortunately, at this time, everyone plays nice a majority of the time. There isn't a better scheme in place and the present system is so pervasive that, in my opinion, until the fundamental protocols are broken (not likely) the system will remain in place. However, look for more controls on how certificates are added to your browser and perhaps perhaps some mechanism for auditing their validity better at the source. Comodo is not the first major player to have this happen to, just the one that is being written about. __________________ I refuse to belong to any organization that would have me as a member. ~ Groucho Marx