keys allowing for
encryption without the need to share key material in
advance,
• the encryption of the data in each session, using the keys
exchanged above.
When we are banking on-line, the encryption is important,
because we do not want others to be able to sniff our account
numbers, or to learn how much money we are spending with
whom. But the first stage, mutual authentication, is in many
ways more important. Without it, we can easily be tricked into
engaging in an encrypted conversation with a complete
stranger.
Unfortunately, there are many ways in which this
authentication can be subverted, or can go wrong. Phishers
know this, and so are able to succeed despite, or even because
of, the presence of SSL connections and the padlock in your
browser.
Q. But if a connection is secure and authenticated, how can it
be subverted?
A. There are several different ways in which you can be
tricked or misled when making SSL connections, for example:
• By falsified security indicators. A fake website may serve
up pages which render in your browser so that they
suggest a secure connection. The falsification may range
from the trivial, such as displaying a picture of a padlock
somewhere on the page, to the sophisticated, where
scripts in the page rewrite elements of the browser’s user
interface to simulate an encrypted site.
• By the use of an illegally acquired certificate. This is
uncommon, but not unknown. For instance, in 2001, the
world’s biggest issuer of SSL certificates, Verisign,
issued and signed a certificate in the name
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24