This was in the Philadelphia Inquirer today:
FAQ | How to ensure online security
"Safe sites use Secure Sockets Layer encryption codes for personal information. You need it, too.
By John J. Fried
Inquirer Columnist
Q: Could you address the problem of security with regards to entering personal information online? When I am on a Web site, I always look for the little lock symbol before I give information, but just how secure is this?
- MargeeB41@aol.com
A: Web sites divide into two distinct camps: those that are secure and those that are not.
Secure Web sites use a highly advanced coding system, Secure Sockets Layer, or SSL, 128-bit encryption to scramble your information into gibberish while your computer and their computer are talking and swapping information.
Consider this: When you give your credit-card number online, the number of ways a 128-bit encryption system can encode that information is represented by the number 8 followed by 37 zeros.
There are even higher-bit encryption codes, but 128-bit is considered unbreakable.
Which brings us to another point: To take advantage of Secure Sockets Layer technology, you need an up-to-date browser with its own 128-encryption capability.
Updating to the latest version of Netscape, Internet Explorer or Opera will do the trick.
So if you are using Internet Explorer and see that the little lock is closed, or if you are using Netscape and see an unbroken key, you can rest assured that you can send credit-card information and other data to the site without risking that anything will be stolen in transit.
You still run a small risk that some unscrupulous employee at the other end could steal the information. But then, that is a possibility when you hand a credit card to someone in a store or restaurant.
If the Netscape key is broken, if the lock is missing, or if you see neither key nor lock, do not transmit any information you consider private."
This is the type of thing that frustrates the heck out of me. I could (okay, I really can't because I know it is true and have no interest in actually doing this, but somebody could) find hundreds of cases where websites were compromised even though they used SSL. When hackers attack, they have such fruitful targets with thousands of personal account records (all populated using SSL) that there is no reason to try to piece together a single transaction for a single account. It's like protecting a courier headed to the bank with $350 in deposits and leaving the bank vault filled with millions (everyone's deposits) wide open.
I want to shout from the highest mountain, "THAT LITTLE YELLOW LOCK MAY NOT BE TELLING YOU ANYTHING!" Nothing like a bit of melodrama to spice up a Sunday evening ;-). I have nothing against SSL (though I would love to hear about any instances of information being sniffed off the wire), but people think it provides a level of security it cannot.
I feel better now.
10:40:06 PM 
|
