Wednesday, June 11, 2008

Determine if SSL connections are truly secure

When users browse to a Web site that begins with https, they expect that connection to be secure via Secure Sockets Layer (SSL), a protocol for transmitting secure documents via the Internet. The majority of Web sites use this protocol to obtain sensitive data (e.g., shopping cart data and credit card numbers from customers).

An https Web site may make most users feel relatively secure, but this alone doesn't guarantee secure transactions. To properly protect your organization's users--as well as corporate data that nonsecure transactions could leave open to exposure--make sure your users understand how to properly evaluate a Web site's security.

Making the SSL connection

When it comes to online forms, secure servers (from an https site) do not actually serve most of them. This means that the form data may not be going where users think.

Note : Sorry because of limitation with Blog Spot I am enclosing the HTML tag < with "<".. Hope it does not impact ..

If you view the source HTML code of a Web page that you're entering credit card data into, you should see something like the following:

"<"form method="POST" action="/order.cgi"">"
or
"<"form method="POST" action="https://www.shop.com/cgi-bin/order.cgi"">"

If the form POSTs to an IP address, users should browse to another site. A Web site should send sensitive information only to a registered site.

Here are the four most common forms that users will encounter:

  • Form page http://www.shop.com/form.html with a form tag of "<"form action="/cgi-bin/login.cgi" method="get"">": This is not secure at all, and it doesn't encrypt any of the information.
  • Form page https://www.shop.com/form.html with a form tag of "<"form action="http://www.shop.com/cgi-bin/login.cgi method="get"">": This information isn't secure either. When the form sends the data, it initiates a new--not secure--HTTP session.
  • Form page http://www.shop.com/form.html with a form tag of "<"form action=https://www.shop.com/cgi-bin/login.cgi method="get"">": This securely transmits information to the form Web site.
  • Form page https://domain.com/form.html with a form tag of "<"form action=/cgi-bin/login.cgi method="get"">": This also securely transmits information to the form Web site.

Making sure data remains secure

By securely transmitting data and using SSL to collect sensitive information, a Web site implies that it will keep that information secure. But what really happens behind the Web site?

For example, most small companies don't host their own Web sites; instead, they use a Web hosting service. But Web hosting services typically turn that Web form data into an e-mail, a process that more than likely doesn't encrypt the data. This means that anyone with access to the e-mail can easily access customers' sensitive information.

Advise users to keep this in mind when surfing the Web, and make sure your organization's Web site makes an effort to reassure its customers about data security.

No comments: