What is SSL? Is it Secure and Safe?
Most of us I hope, appreciate that very little of what we do online is private. The astonishing rise of the web over the last two decades has come at a price and that price is our privacy. The majority of our communication takes place over HTTP (Hyper Text Transport Protocol) a wonderful invention that has allowed a myriad of platforms to come together and talk to each other using the worldwide shared infrastructure that is the internet.
You see HTTP operates completely in clear text, meaning that requests, web visit and communications are instantly readable by anyone with a mind to intercept it. My next door neighbor sits next door browsing the web using his unprotected Wireless connection, completely oblivious to the fact that I can see every site he visits, and yes he does spend a lot of time on porn sites for a seventy year old !! Obviously he could put up layers of protection by using encryption on his wireless network but the fact remains that all his browsing is logged on his ISP and transmitted in clear text across lots of shared routers, switches and cables.
That in itself is worrying enough, and the reason that Governments can pretty much capture all the personal data they need with a well positioned switch or cable tap. But there’s one area that is even more worrying particularly to those using free proxy and VPN sites distributed across the internet.
That area is SSL, the little layer of security bolted onto to HTTP(S) to encrypt our most important transactions. We are told to look for the little padlock in the corner of our browser when we connect to a payment site, or need to input usernames and passwords. SSL will keep us safe so we are told, unfortunately as I’m going to show you that’s simply not the case.
But first an interlude, have you ever wondered about how your request gets to a web site? What route does it take, how many points physically does it touch before it reaches the intended server. Well it’s east to find out – just look at this. Start a command prompt, type ‘command’ in the search box in most windows versions then type the command ‘tracert’ and a web address.
You should see something like this, a series of steps that your web request takes. The first ‘hop’ will be my router, then through my ISP and then out onto the internet via a host of switches and gateways owned by a wide variety of individuals, companies and organisations. Any of which have complete access to my data if they wished to intercept it for whatever reason. The example is to Paypal so my username and account details are also being trusted to the owners of those devices.
This is of course, very concerning and why SSL (Secure Socket Layer) was developed to at least provide some protection to the most sensitive data transmissions. We use SSL a lot now, and that little key we are told to look for is becoming increasingly important to maintaining some privacy and security especially if we’re conducting any sort of financial transaction online. Buying Christmas presents from Amazon, checking out bargains in EBay or paying our bills through online banking – all use SSL to encrypt the data we send. You can see the security being implemented on any site now that needs to process payments or usernames, here’s me logging into Paypal.
In the top left you can see, the familiar padlock and the fact the web site begins HTTPS, the S denoting the secure layer protecting your login. So we’re all safe and protected?
Well no not quite – let me introduce a neat little program from a company called Komodia who provide a series of security applications and development platforms. Available on their site is a free SSL sniffer which can sit and sniff all the traffic that travels through your connection and decrypt it on the fly – including all that super secure traffic protected by your HTTPS connection.
Here’s me running it whilst logging into check my Paypal account –
Using Komodia’s sniffer program I can look at all the data flowing through my connection, what’s more it decrypts the SSL connection too. All the encrypted data is unencrypted and is visible in clear text, in the example above my paypal password and login details were perfectly visible. Anyone with those details could have logged on to my account and made payments linked to my debit and credit cards!
Obviously I have blanked this out to protect my account details but it’s very easy to check for yourself. You can download the sniffer for free from Komodia here. It requires little technical knowledge and is very easy to use – using it you can harvest any usernames and passwords that are supposedly protected by a HTTPS connection. All you need is access to the data.
This is one reason that you should never, ever use those free proxies, dodgy wireless connections in Coffee shops and anywhere else you feel your data may be at risk. Only use proper well run and secure ones even to just access things like the BBC like this, and don’t access any accounts from untrusted devices and networks.
IN truth there is little security available by default online, but common sense can go a long way to stopping the misery of becoming a victim of identity theft and online crime.