Slashdot Mirror
SSL Still Mostly Misunderstood, Even By the Pros
An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"
This article would be funny if it weren't so sad. What's the reason computer professionals don't understand SSL? Bad documentation. And neither the Slashdot summary or the article to which Slashdot links is willing to link to documentation.
The Wikipedia explanation of SSL helps. This explanation helps, also.
The Do It Yourself SSL Guide is useful.
With the exception of pre-installed machines, we all have to download our web browsers. What would stop someone carrying out a man in the middle attack on a web browser or distribution download that provided a different Firefox that contains different CA keys. These CA keys could be designed to work the same with https websites, but would allow a man in the middle to also read off the information being transmitted.
Admittedly this would be very hard to do, but theoretically possible and with the resources of a nation state this may have already been done. As most machines are now built in the far east, what would stop the IE that ships with your computer from also having altered CA keys?
Would it even be possible to detect this? You could use MD5 checksums on your downloads, but most of the websites that show an MD5 are unsecure, so they could easily be showing a manipulated version of the checksum.
This strikes me as one of the biggest flaws of our reliance on SSL v2, v3, whatever.
Please tell me that this isn't possible.