5

Possible Duplicate:
Does an established ssl connection mean a line is really secure

When I visit a website -- say, https://ebanking.pick-your-bank.com -- my browser (fully patched version of Firefox or IE8/9) will display if it finds everything OK with this https connection / website.

How secure am I that everything is actually OK?

Note: This question asks about https security on a public hotspot. I hope to extend the scope to the following points: (not restricted to public networks, also just my private cable-bound connection to my ISP)

  • Certificates?
  • Browser?
  • (Local) network?

Edit: I would like to qualify the "security" I ask for: For the scope of this question, let's assume that the servers behind the https connection are in fact secure. That is, the "real" servers haven't been compromised and the data there is decently secured. Let's focus on the connection (also server side) and client/network side of things. (This doesn't imply that one should be blind to the possibility of compromised servers. Let's just not focus on this aspect for this question. Thanks.)

Community
  • 1
Martin
  • 1,247
  • 2
  • 12
  • 19

1 Answers1

5

At risk of sounding very pessimistic, a website using HTTPS actually says almost nothing about how secure a website is, unfortunately. All it tells you is that they use an accepted mechanism to secure the communication link between you and them.

Unfortunately:

  • the encryption used on this link could be insecure
  • you may be connecting to a malicious man-in-the-middle, and if you don't know how certificates work you may not spot this
  • the website itself may have many insecurities
  • the server the website is hosted on may be vulnerable
  • etc.

The only real benefit is that if HTTPS is used correctly, your communication is encrypted, which does provide an increased level of security for the end user than a site which doesn't.

correct in this scenario means:

  • you trust that the certificate presented to your browser is the one for the website your are trying to get to (your mileage may vary)
  • the version of SSL on the server is up to date and is only using strong algorithms (have a look here)

But as I said before, this can tell you nothing about the security of the server itself.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Yes, you do sound pessimistic :-) -- May I suggest that your answer is missing the second half? Namely: Assuming https *is* "used correctly" on the server side, how secure is it? What can I do to make sure it "is used correctly"? thanks! – Martin Sep 27 '11 at 15:23
  • @Martin - quick update for you – Rory Alsop Sep 27 '11 at 15:30
  • I'm in agreement with @RoryAlsop on this. The question is roughly like asking "How safe is a car with a steel frame?" There's so much involved in a site's security that's outside of the scope of TLS that there's simply no way to make any kind of meaningful inferences. And that's even assuming they do TLS correctly (ex. latest version when possible, good selection of cipher suites, avoiding protocol downgrade attacks), which few sites manage. – Stephen Touset Mar 21 '14 at 18:24