SSL vulnerability

Depending on how computer literate you are, you may know that your web browser probably has a little "lock" icon that appears when you're viewing a "secure website", whatever that means. The official name for this technology is SSL, which stands for Secure Socket Layer, and it was designed to solve the problem of authentication, or knowing that who you're talking to is really who they claim they are.

If you make a phonecall to your bank do to some telephone-banking, and the person who answers the phone asks for your PIN number, how can you be sure the person you're talking to really works for the bank? This depends mainly on you trusting your phone company, and that if you dial a certain number, you will get connected to a certain person or company. Because the telephone lines are pretty well controlled and it's clear who the owners of the lines are, dialing a phone number is usually pretty reliable.

If you type in the URL to your bank's webpage to do some internet-banking, and the webiste you receives ask you for your PIN number, how can you be sure that this webpage actually belongs to the bank? This depends on you trusting the Internet, and that if you enter in a certain URL, you will get connected to a certain computer. However, the Internet is not well controlled, and so entering an URL is not so reliable. SSL was meant to solve that. I won't get into how SSL works, but suffice to say that if you saw the little lock icon, you are "using SSL" and supposedly you can be confident that you are indeed at the page you thought you were at.

Unfortunately, this has changed a few days ago. A group has discovered a vulnerability to allow them to trick SSL for any URL. They demonstrate this by faking an SSL connection to paypal. Click on their link, and your browser will claim you are at the paypal site, and the lock icon will show up, but the site you arrive at obviously isn't owned by Paypal.

Worst yet, no one has figured out how to fix this vulnerability yet.

E-mail this story to a friend.

You must be logged in to post comments.