It is unfair to blame Secure Sockets Layer (SSL) for security woes because system weaknesses are usually attributed to the browser, while SSL is simply a protocol between the browser and server, says SSL inventor Taher Elgamal in an interview. "The browser trust model . . . allows end users to accept things without actually understanding what they are accepting, unrelated to the protocol as it stands," he says.
Elgamal describes man-in-the-middle attacks as network design issues. "Because the trust model and the browser are not designed correctly, you can convince the browser that this is the right certificate and convince the server something else, and then look like you actually broke the protocol," he says.
Elgamal says the defining issue is which certificate the browser should deem as trustworthy or untrustworthy. Users still log onto sites with expired SSL certificates, and Elgamal says that browser makers should make it so that the certificate would automatically warn the Web server owner of an imminent expiration and recommend renewal. He cites the need for there "to be another control in the browser [where] for important sites — banking or payment — it refuses to let the users do something if the certificate is not valid."
Elgamal says the biggest issue with Internet security today "is that there are databases with a lot of important info that are available from the Internet, from the outside. Designing secure networks has not been progressed enough. Most of the security problems that you see today [occur] because hackers or insiders are able to access information that they are not authorized to get access to."
From ZDNet Asia
View Full Article
Abstracts Copyright © 2009 Information Inc., Bethesda, Maryland, USA
No entries found