Sunday, May 01, 2005

SSL - a false sense of security

SSL is used to encrypt transmission of data between a browser and a webserver. So if a website out there uses SSL to encrypt sensitive information then everything is secure and perfect and nobody needs to worry about anything. Right? Well no.

SSL works only at the transport layer. Let me explain. What SSL can do is protect data exchanged between a browser and a server. What it cannot do is protect the server which stores the data from other kinds of attacks.

The data inside the server's database is NOT protected by SSL. It lies there in plain text unless the server uses some sort of encryption while storing data inside the database. SSL does not protect against operating system vulnerabilities. If someone out there can exploit a known vulnerability about the operating system, then the server and potentially the data might be exposed.

It is difficult to track down what was sent in as data via SSL (because everything is encrypted) and infact hackers prefer SSL to exploit application level vulnerabilities. Often hackers use a combination of outbound proxy servers and SSL so that their activities cannot be traced back to their computer.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.