top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

SSL Security, query about safest way of sending information by email and through websites [CLOSED]

0 votes
232 views

I have just come across this Webopedia ( www.webopedia.com/TERM/S/SSL.html ) entry:

"SSL: Short for Secure Sockets Layer, a protocol developed by Netscape or transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data ˆ’ a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http"

SSL is generally advised for use with browsers and web sites that support it, but as confidential information can be harvested (according to the Webopedia entry anyway), could anybody advise me on using SSL with my bank and similar sites and whether any alternative (and safe) should be considered.

I generally use Tor as well when sending confidential information through emails or through webmail. As I understand it, my bank does not use OpenPGP and would not accept my public gnupg key for decrypting
encrypted transmissions. Short of changing my bank, can anybody give me further advice on which extra measures I can take to be reasonably certain I can prevent sensitive information from being harvested, and the safest way of sending information by email and through websites?

closed with the note: None
posted Jun 24, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

I think you are reading it wrong, the wording is a bit unfortunate.

Where it says "many Web sites use the protocol to obtain confidential user information, such as credit card numbers", you should read "many Web sites use the protocol to exchange confidential user information, such as credit card numbers, in a safe manner"

The only risks of using SSL are:
* the user does not check whether the certificate is OK before continuing
* the browser shows that the used certificate is OK but in reality the certificate has been stolen and is being abused by a malicious website to trick the user into a false sense of security

If you are using the correct URL to access your bank, and your browser shows that you are connected via a secure connection, you can safely assume that the connection is OK.

answer Jun 24, 2013 by anonymous
Similar Questions
0 votes
Parsing a email attachment over SSL

I get a daily email attachment to my Gmail account which I want to automatically download. I found the following Perl script which does just that:

http://stackoverflow.com/questions/2453548/how-can-i-download-imap-mail-attachments-over-ssl-and-save-them-locally-using-pe

The above script uses the following syntax to search the messages via IMAP:

my @messages = $imap->search(SUBJECT => $today);

In my case, I want to search on two criteria, subject and date. I tried various ways such as:

 my @messages = $imap->search(SUBJECT => $subject, ON => $today);    
 my @messages = $imap->search({SUBJECT => $subject, ON => $today});
 my @messages = $imap->search("SUBJECT => $subject, ON => $today");

but none of these worked. How can I search on multiple criteria using Mail::IMAPClient?

+1 vote
SSL/TLS and ciphers vulnerability

I've been off the list for a bit, getting ducks in a row here and everything.

I noticed a number of posts about SSL & TLS security settings lately and I wanted to point out that maintaining your SSL configurations is an on-going processes.

New exploits are discovered and released quite often, and often the fault lies with a cipher and not necessarily an overall SSL/TLS protocol.

So using a cipher list like "all except RC4" is probably not sufficient anymore. And what is secure may depend completely on the SSL/TLS software you use, be it OpenSSL or Java's built in SSL libraries.

For example, with OpenSSL, you should be using 1.0.1t or higher, and even then only TLS1.2 with a handful of ciphers. I'm not sure what the recommended options for java's libraries are at the moment. A really good, free tool is Qualys' SSL Labs server test tool located at: https://www.ssllabs.com/ssltest/ Run that against your implementation and follow its recommendations.

Of course, at the end of the day, it will be up to you and your firm to decide what risks you are willing to take with your SSL communications and whether or not you need to support insecure browsers, i.e. browsers that cannot negotiate up to the most secure protocol and ciphers.

+1 vote
Apache: Virtual Hosts and SSL Puzzler

I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files.

 ServerName public.mydomain.com
 DocumentRoot /var/www/html
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/public.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName distrib.mydomain.com
 DocumentRoot /var/www/html/distrib
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/distrib.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName mail.mydomain.com
 DocumentRoot /usr/local/squirrelmail/www
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/mail.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the right direction?

+1 vote
Apache: reverse proxy, balancing and ssl client certificate authentication

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

...