Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe

SSL (Secure Socket Layer) symbolized by the padlock icon in your browser does not provide any useful protection and is in fact a false sense of security. Be well aware of the real risks when submitting your information to web sites!

Denver, CO (PRWEB) July 15, 2004 -- Steve Mathews, CEO of ArticSoft and one of the Authors of ISO/IEC 17799 Information Security Management standard said today that, "SSL is a false sense of security as it doesn't provide the protection you think it does, and no protection where you really expected it to."

"The weaknesses of SSL implementations have been well known amongst security professionals, but their argument has been that SSL is the best tool currently on offer. The fact that it can be spoofed and is open to man in the middle attacks is played down. And the fact that your personal data is exposed the moment it enters the web server (where all the real hacks and thefts take place) is ignored. If you look at all the published cases of stolen information it is always at the server regardless of whether SSL has been used or not."

If you think about it, if you applied it to a car it would only work when the engine is running and the car moving. The minute you stop and park your car (where it is most at risk) the protection stops working.

Steve noted that SSL has mainly been used in e-Commerce systems for transferring user address and credit card details. Because the credit card providers pay up if people's credit card details are stolen and used unknowingly, users don't suffer too much apart from inconvenience. There is no direct linkage to identity theft, although that didn't stop the State of California from passing a bill to require encryption of data held on servers.

Also, and very importantly, security is a perceived thing for most people. If you have been told that if there is a padlock on the screen then you are totally safe (or if you buy a server certificate your web site is totally safe or if a web site displays a particular logo) and you cant see anything going wrong then it must be OK.

Reality has intervened. Legislators have become too uncomfortably aware that industry simply hasnt lived up to its responsibilities. The USA in particular has found it necessary to legislate, not just once, but many times. Now you have to comply with HIPAA, Sarbanes Oxley, Gramm Leach Bliley, the California Civil Code and so on. And the stakes have been raised. Failure can result in a criminal prosecution at board level, not just a slap on the wrist for a minor employee.

Users too are becoming more aware that today's Internet services aren't trustworthy. The tide of scams, SPAM, phishing, e-Mail identity theft, machine theft, porn site attacks, are just a few examples of why they are increasingly avoiding Internet trade and becoming seriously defensive.

ArticSoft introduce FormsAssurity to get past all the problems that are created by the SSL concept. It is true that if the sender of a secure form does not digitally sign it, the recipient is not absolutely certain where it came from, but who can afford the confusion and complexity of registering every single possible user, worldwide, before they can implement?

What we can be certain of is that it is not possible to have a man-in-the-middle attack with FormsAssurity -- encryption ensures that the form has really come from the claimed web site, the form has not been altered, and the only person that can read the information filled in on the form is the authorized site.

Secured information is not automatically revealed as it lands on the server. The enterprise can choose where to route secure information before processing. That means they can ensure that personal data is afforded the highest possible security. Information can be returned from customers, secured, directly over the web, or, if more appropriate, can be sent eMail to one or more destinations, depending upon the business process being followed.

The ArticSoft software only implementation means that there is no 'footprint' required on the client machine, so this solution will integrate smoothly with consumers as well as business partners. It uses current OpenPGP and X.509 technology. It does not require new technology, complex and untried management systems, or a full-scale PKI infrastructure to be available before anything can happen and users dont have to become security experts.

But it can be easily enhanced to require the sophistication of a digital signature to guarantee the source of the information.

No other solution is available that gives so much flexibility and control to the implementer. Nothing else is available that uses Open standards, ensures that the form creator is fully in charge of the information and is not dependent upon any third party controlling their ownership and control of the information.

ArticSoft have significantly extended the boundaries of current technology to create web forms that are actually trustable and can be used, not just to meet, but to surpass all the current legislative requirements for PII, privacy, data protection and corporate governance.

Steve Mathews can be contacted at
email : smathews@articsoft.com
Phone : 866 243 3350

Further information on SSL security can be found at the ArticSoft web site - www.articsoft.com

"We believe that there can be no secure electronic commerce on the Web until the Web Spoofing vulnerability has been addressed" - Princeton University

Dartmouth EDU web spoofing SSL demo - http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

# # #

ssl secure sockets layer secure socket layer padlock icon browser security ssl implementation web site security web form security ecommerce security e commerce security e-commerce security

Bookmark -  Del.icio.us | Furl It | Technorati | Ask | MyWeb | Propeller | Live Bookmarks | Newsvine | TailRank | Reddit | Slashdot | Digg | Stumbleupon | Google Bookmarks | Sphere | Blink It | Spurl