What is the advantage of using SSL?

If I connect using a DSL line, what advantage do I have in using SSL (for "minor" activities (like banking, to exclude espionage, top-secret-business plans)) ? I assume that most people will not literally wiretap a sing home-user's line.

Once the data gets to ISP (AT&T), there shouldn't be any more danger (There isn't much for AT&T to steal from my bank, yet they can be sued for using data going through their servers).

The Internet backbone should be secure for roughly the same reason - no company will want to break the law through stealing my credit card number (Yes, I know, companies may not always be trusted. Yet, I am only transferring bank/CC#s. The amount they could steal would be incomparably smaller than the amount I can sue them for stealing it).

Same for the server. It is (probably) connected through T1 lines administrated by a large sueable company. Once it gets to the web-server, SSL no longer protects the data (against crackers, etc.)

So, in contrast to the days when the average ISP was a small dialup company who could scam one's bank statements and run, how much more secure is an SSL connection vs. a non secure connection?

Am Haaretz Gamur Mideoraysa

Posted 2012-04-04T23:59:17.180

Reputation: 121

Why do you feel the internet backbone is "secure". Companys, their employees and governments do illegal things all the time - especially if they think they won't get caught. Don't be an easy target. – uSlackr – 2012-04-05T01:02:49.783

1"they can be sued", "I can sue them" - This would be funny if it wasn't so misguided. Suing someone after the fact is not a viable security plan. Criminal hackers do not worry about being sued by you or anyone else. You simply do not have the resources, time or money to find then, take them to court and win. Besides, they may not even be in the same country as you. – sawdust – 2012-04-05T08:28:44.603

Answers

I assume that most people will not literally wiretap a sing home-user's line.

That's not the only possibility, consider these possibilities:

Your home-user's line is personally targetted, less likely.
A line between the ISP and your bank is targetted, more likely.

It is that second possibility that makes it scary not having a secured connection, because if someone gets access to that line (sniffing it in one or another way) then they can acces a lot of unsecured data. If your data is confidential, it better be sent secured.

The Internet backbone should be secure for roughly the same reason

Such assumptions are dangerous, consider these possibilities:

Someone has a direct connection and can sniff other connections on the same hub.
An employee decides to steal personal data, and nobody notices he does that.
Someone gains access to the cables and/or network equipment and messes around with it.
Someone manages to hack an internet backbone.

And that list isn't full, there are most likely more possibilities.

The amount they could steal would be incomparably smaller than the amount I can sue them for stealing it.

Who are you going to sue? What proof do you have? Exactly, it could be gone without a single trace.

How much more secure is an SSL connection vs. a non secure connection?

The server provides an user with a certificate which the user can check against a known certificate authority. If the certificates matches they can do encryption in such a way that nobody can sniff the data or tamper with it, any attempt to do so will break the connection.

Note though, that SSL is only safe as long as the certificate authority the certificate came from doesn't get compromised. The main goal with SSL is thus that sniffing is no longer a single step, but that you first need to get access to a certificate authority and then get access to encrypted network traffic and then have to decrypt the SSL to finally get the data you want. The chance that you get caught doubles here...

_{Image courtesy of from Interactive Systems}

Tamara Wijsman

Posted 2012-04-04T23:59:17.180

Reputation: 54 163

Is it safe to say that if there is any authentication involved it qualifies for the SSL usage? The reason I am asking this is because even search engines these days have SSL for unknown reasons(to me). – Mahesh – 2012-04-05T02:12:58.923

@Mahesh: Authentication is not a necessity, a search engine is a good example here: Your search queries can be used to make a profile about you, while most search queries would be OK if they were sniffed, some are not. Using SSL disallows sniffing by people in your home (people that hacked your WiFi as well), people at your work environment, people at school, people that are dining in the same fast food restaurant (that has WiFi) and so on. Better to be safe than sorry... – Tamara Wijsman – 2012-04-05T07:30:52.280

One thing to consider is SSL isn't just to encrypt the data stream. It verifies the identity of the remote site and makes sure it matches the domain. For example a number of home routers have had DNS spoofing vulnerabilities so hitting your bank's web site could actually send you to another site. All this is done shotgun approach so it's not specifically targeting you but hitting millions of routers hoping to get hundreds of victims.

As far as encryption, wifi is a very common vulnerability. Someone could hang out at a coffee shop and just pull passwords out of the air. Because people tend to use the same passwords for all their sites, getting something with minimal risk like a facebook password could possibly open up your bank accounts. That's why facebook and others got pressured into switching to SSL.

There also may be a proxy server in the path that you don't know about. If that proxy server is compromised and you're sending clear text, they can just pull passwords off it. When the hack is found, they probably won't notify, or even know, all the sources and destinations that went through it. If you're using SSL, the data through the proxy is useless.

JOTN

Posted 2012-04-04T23:59:17.180

Reputation: 531

Of course, there have been a number of compromised CAs recently, which have resulted in fake certificates being issued for high-profile sites. SSL "verifies the identity of the remote site" only to the extent that you trust several hundred companies you've never heard of whose certificates are installed as trusted roots in your browser. – Wyzard – 2012-04-05T01:39:21.813

Beware of SSL in a corporate environment. There are many companies that make so-called "SSL interceptors" that effectively perform a Man-In-The-Middle (MITM) attack on your SSL connection so the company can monitor the content being transferred, while both your browser and the external Web server each think they have a secure SSL connection to the other. Bluecoat's ProxySG product includes a Data Loss Prevention (DLP) feature that does just this.

This works in corporate environments, because the company typically has administrative access to your computer, which allows them to install new CA certs into your browser (unbeknownst to you). The new CA cert tells your browser to trust the company's SSL interceptor, so that it can decrypt all of your SSL traffic (before re-encrypting it on the outbound leg to the external server).

You can use openssl to dump the external Web server's SSL cert from outside the company and compare it with the cert seen from inside the company (as described in this blog post). If they don't match, then your company may be running an SSL interceptor.

Fran

Posted 2012-04-04T23:59:17.180

Reputation: 4 774