Share this Page URL
Help

Securing Your Internet Transactions with SSL and Digital Certificates 257 Your personal computer needs similar protection. After you have performed a credit card transac- tion, your Web browser might cache a local copy of the receipt page that displays all of your personal information, including address, credit card number, and purchase details. If you are not aware that this page has been stored on your computer, you might fail to properly remove or secure it. If your computer is not protected with some of the basic security controls we discuss throughout this book, it might be an easy target for an attacker. Attacks on SSL One of the many functions of SSL is providing for encrypted communications. Many attacks on SSL are designed to break the encryption by discovering the secret key used. Remember that SSL uses symmetric key cryptography to provide encryption. This basically means that the client and server each share the same secret key that is used to both encrypt and decrypt the communications. If an attacker can discover this secret, he can decrypt the communications. The way that this symmetric key is generated is important. In a basic sense, combining a random number with some mathematical computation might generate the secret key. The computation will remain the same and should produce a secret key that cannot be easily deduced. Because an attacker will most likely know what the computation is because it is part of the software and public knowledge, he will be more interested in finding out what the randomly generated number is. If he can figure out what the random number is, he can simply run it through the same computation to get the secret key. As mentioned earlier, another attack is the man-in-the-middle attack. Although several different attacks are performed from this perspective, one of the simplest is for the attacker to impersonate both parties. The attacker tries to get into a position where he appears to you as the trusted party and appears to the trusted party as you. The attacker might then try to intercept communications during the early stages, when you are just starting to set up the SSL connection. He will present to you a fraudulent certificate for your trusted party that you might accept as valid. If he can get you to set up an SSL connection through him, he will have access to all of the information you are sending to the trusted party. What Are Digital Certificates? A digital certificate is supposed to be the computerized equivalent of a passport. It proves a person's identity online and provides a means of legally valid signatures in some cases. In today's society, you might have many forms of identification, including a passport, driver's license, membership card, or similar type of ID card. Just as you can have many ID cards for many different purposes, you can have many digital certificates to serve you. A certificate is used to identify a person or a thing. It is a digital document, which is really a file stored on a computer that can be used to identify a person, server, or company. A server that is running a Web site usually has a digital certificate for your Web browser to authenticate the server and verify its identity. The digital certificate also contains the server's public key for use in establishing encryption. The concept of digital certificates has been around since before the earliest days of the Internet. VeriSign made an early attempt at issuing digital certificates, thus marking its place as an identity authority on the Internet. Early on, VeriSign was primarily concerned with issuing certificates to identify Web servers for use in SSL connections. Since then, certificates have spread into use by government, businesses, and netizens (citizens of the Internet community). The most popular systems of digital certificates today are based on three things: · Public Key Infrastructure · X.509 · Certificate Authorities