YNL Logo
YSER Newsletter
Your e-Procurement Community
In This Issue
How does SSL Work?
Resources
Quick Links
Join Our List
Join Our Mailing List
Issue: 21 January/2008
Dear Sacha,

I've fallen into the same trap that afflicts most of us when we begin talking about things we encounter every day but may be so much technical jargon to others.

I'll rectify that to some extent today.  Instead of simply assuring you again that, for example, SSL is good and that you should make use of it, I will give you some background about why it is good and a useful tool.
How does SSL Work?
Comparing websites and e-mail

You likely already know that SSL is primarily used by websites that engage in handling sensitive information, in the main involving money.  These could be a site like eBay or Amazon.com, an online flower delivery service, or especially online banking.  The reason it is particularly important for banks is just what you'd think: they are the largest and most obvious targets.

If you have ever registered with a website so you can access the service it offers (such as PayPal) you may be familiar with the warning that they provide either at the time you sign up or send out via e-mail.  This warning states that Amazon.com will never send you an e-mail asking for your password.  The purpose of this warning is to protect you from unknowingly sending your password to criminals.

Such e-mails appear to come from an authentic source and comprise a part of the so-called "phishing" attacks.  Such e-mails may also send you to a website that looks authentic, although if you pay attention to the URL of the website (e.g. http://www.amazon.com/) it won't be exactly the same as the one you normally visit.  This is an increasingly common form of phishing.

This is where secure sockets layer (SSL) plays its first role.  The SSL certificate is the way that a website can prove that it is who it says it is.  In essence, it tells you that you're at the right address.  Without this confirmation a secure connection can't be established.  Perhaps you've visited website where your browsers pops up a warning that the certificate has either expired or is wrong.  This is your browser and the SSL certificate working together to tell you that you may be at the wrong address.  Website that are secured by an SSL certificate will usually display a logo to that effect, such as VeriSign's:
verisign





So, you've reached a website that is secured to use an SSL connection.  How is the SSL connection established?  Actually, by the time your browser has loaded the website the SSL connection has already been established.

Secure sites are commonly use HTTPS, for HTTP over SSL, so when looking for that website your browser knows to ask for a secure connection. Your browser sends some information to the website's server to let it know what kind of encryption it is using. The website's server sends back its own information, including a key from its SSL certificate.  Your browser then compares this information to the website to which it was trying to connect.  If everything is in order, the secure connection is established.  All this takes place in a fraction of a second and is simply known as a "handshake".

If the certificate is expired or not valid, your browser will warn you about this.  It is important to note that you can still establish a connection with that website, but it will not be secure.  Therefore it's best to look twice if you have an unaccustomed alert come up when you connect to a site.

Does SSL work the same way for e-mail?

Unfortunately, no.

This is worth emphasizing.  An e-mail you send must go from your e-mail client to your mail server, from where it is then redistributed to the recipient's mail server from where he then downloads it to his e-mail client.  SSL, if you recall, only encrypts information while it is in transit.

To quote Michael Cobb, "It's also important to remember that your message, even when sent over an SSL connection, is only encrypted during transit. The message will appear in plaintext while at rest on the mail server or the recipient's PC and on any backup media."

Because an e-mail must pass through at least two servers before it reaches its destination, the e-mail and any attachments it has are available in an unencrypted state on those servers.  Anyone who can access those servers can read those e-mails.

While it is possible to create a direct link between your computer and a website, this is not the case with e-mail.  This is a limitation of using SSL with e-mail.  It's certainly better to use SSL, but you need to be aware that the security it offers is not complete.  While your e-mail is in transit it is completely secure, but between you and your recipient the e-mail is not always in transit.
Resources
Michael Cobb

Michael Cobb is both a real person and he knows what he's talking about.  If you'd like to convince yourself of this and read some of what he's written, you can find more information about him here.
Security issues bring the joke to mind, "You don't have to run faster than the bear.  You just have to run faster than the slowest guy."  Most of the time your security doesn't need to be air tight.  It only needs to be good enough.  It is, however, important to know the difference between "air tight" and "good enough".  For your daily e-mail correspondence it is probably "good enough" to have it secured with SSL.  But is it still "good enough" for accepting electronic bids or would you rather have something that's a little more "air tight" for that?
 
Sincerely,
 

Sacha Hartmann
YSER Inc.
This email was sent to shar@yserinc.com, by shar@yserinc.com
YSER Inc. | Delaware Technology Park | 1 Innovation Way | Suite 301 | Newark | DE | 19711