Data Protection and Security

VIII

Standards and Protocols

VIII.IV

Secure Socket Layer (SSL)

Short History of SSL: SSL version 2 was originally developed by Netscape in 1995. Microsoft improved SSLv2 and introduced a similar protocol known as PCT. Netscape substantially overhauled the protocol as SSLv3. IETF, realizing it was bad for industry to have three similar but incompatible protocols for the same purpose, introduced a fourth similar but incompatible protocol – TLS (Transport Layer Security).

PKI employed in SSL:

The server sends a certificate to the client.
If it is signed by one of the CA’s on the client’s list, the client will accept the certificate.
If the server presents a certificate signed by someone not on the list, the user is typically presented with a pop-up box informing him that the certificate couldn’t be verified because it was signed by an unknown authority.
What to do then? (Most of users click yes and continue)

The following video illustrates a typical SSL connection and how to examine the server certificate in that connection.

Animation VIII.IV-I: SSL Certificate [ click to enlarge ]

VIII.IV.I Q

[+] Question

[-] Question

What is the secure reaction for the client in this situation? What is the security drawback of not aplying it?

«previous session

[1] [2] [3] [4] [5]

next session »

«proceed to previous section

proceed to next section »

chapter index