Notes on Security

Like most people, on long drives I get into some very interesting mental conversations with myself.

On one recent trip, for no particular reason, I began to wonder about what, exact, "SSL" refers to. I mean, I know it is an acronym for "Secure Sockets Layer," but what exactly that means, I didn't know. Other than that we should look for some such designation on a website when we do business with that website - particularly if there's a money transaction.

So, of course, I had to do some Internet Research.

For starters, I learned that "SSL" is actually outdated. From Wikipedia (the Poor Man's Favorite research tool): "Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end."

So, let's do a little translation.

A cryptographic protocol is basically a system by which data is encrypted and decrypted. (Think of it like when you were a kid, and you and your friends used a code assigning a number to each letter of the alphabet. You all knew that A was 1, and so on. So when you received a message that said "89," it meant "Hi.")

Again, from Wikipedia: "A cryptographic protocol usually incorporates at least some of these aspects:
  • Key agreement or establishment
  • Entity authentication
  • Symmetric encryption and message authentication material construction
  • Secured application-level data transport
  • Non-repudiation methods
More difficult to decipher (all puns intended) words! Ok:

1. Key agreement or establishment: the two parties involved decide how the "decode ring" is going to work.
2. Entity authentication: both parties can be demonstrated to be who they say they are.
3. Symmetric encryption: the same key is used to encrypt and decrypt the message
4. Message authentication: this more or less speaks for itself. This is a means by which a message is verified as "real."
5. Secured application-level data transport: the actual means by which the data is broken into "units" (packets) and sent from one host to another is secure.
6. Non-repudiation methods: the use of such services that provide proof of the integrity and origin of the data; and an authentication with high assurance that data can be asserted to be genuine.

Got it?

It's all meant to demonstrate to you that that email your friend sent is really what it claims to be; or that when you send your credit card number to eBay, it's safe to do so and won't be grabbed by someone midstream (so-called "man-in-the-middle attacks").

What do you need to know?
- Make sure any website you do business with (any website to which you submit private information, especially financial information, does this transaction on a "secure server." A secure server is "a Web server (the computer on which a website "lives") that supports any of the major security protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. Making purchases from a secure Web server ensures that a user's payment or personal information can be translated into a secret code that's difficult to crack. Major security protocols include SSL, SHTTP, PCT, and IPSec."(From Webopedia http://www.webopedia.com/TERM/S/secure_server.html).

- Expect that the website will have an SSL Certificate. The certificate is issued by a "Certificate/Certification Authority," which is responsible for saying "yes, this person is who they say they are, and we, the CA, verify that."

- Look for the URL to begin "HTTPS" rather than just "HTTP." (The S means you're doing business on a secure server.) As opposed to HTTP URLs which begin with "http://" and use port 80 by default, HTTPS URLs begin with "https://" and use port 443 by default. (A port is more or less a communication "channel" by which your computer directs incoming/outgoing traffic correctly; thus, port 80 is routinely associated with standard HTTP traffic; port 443 is usually associated with HTTPS traffic.)

- Use "strong" passwords when creating accounts for on websites that will use your personal information. A strong password is some combination of alpha characters and numeric characters ("special" characters may or may not be accepted; it's best to choose your passwords without them) that only you will understand, but that you will also be able to remember. Thus, "1234" is not a strong password (a serious understatement!). A geeky friend told me that he has created a method which creates a new password for every web account, but which always follows a pattern (so he can remember it easily). Thus, he might use his wedding date (61205), plus his mom's first initial,  plus the first three letters of the name of the website. While the first three letters of the website might be guessable by a hacker, the rest of the password would be very difficult to stumble upon.

We'll do more on this important topic in upcoming reports!

Comments

Popular Posts