Time and again, people keep stressing on the importance of encryption with the help of SSL and on how they help to keep the contents of the web pages confidential. However, just because SSL and HTTPS encrypt data, it does not mean that they are completely foolproof against spying. Most modern day malicious softwares can detect the passwords before they are encrypted and some also infect the browser itself which makes them far worse. Since a browser keeps track of everything that comes in or goes out, they are perfect stepping stones for spies. The problem is that by using MITM (Man in the Middle) attacks, even HTTPS pages can be spied upon without even having to use malicious softwares. With the help of these attacks, the spies place themselves in between the website and the user, thereby getting access to all records which are input by the said users before they are encrypted.
Thus, according to Seth Shoen, for a proper defence against spying and MITM attacks, users cannot simply rely on the genuineness of the site’s appearance as even during the attack, the behaviour and performance of the site is completely genuine. In simpler words, the secure web pages are useless when it comes to MITM attacks. This is where the Fingerprint Service launched by Steve Gibson plays a huge role. According to industry experts, this service should play a huge role in detecting and exposing Man in the Middle Attacks.
The Steve Gibson Fingerprint Service basically lets users compare the digital certificates what are received in their browsers to the ones which are retrieved in the Fingerprinting Service server. There are two basic aspects of this service. In the first aspect, the Steve Gibson server gets the digital certificate of the website in question. This server is more likely to get the legitimate certificate as it is connected directly to the internet backbone which allows the server to bypass the middleman and get the data directly from the site. The second aspect involves comparing the certificate received by the Gibson server to the one which is received by the user’s server. Moreover, the Gibson server cannot assure users on whether digital certificates for a specific website are supposed to be issued by VeriSign or not. But the Gibson server can confirm whether or not the certificate that it received from the said site is the as the one which the users got.
It might be quite hard for most users to understand the fact that an SSL server is not completely safe after being drilled about its safety year in and year out. Moreover, top companies such as Paypal, Bank of America, Symantec, Citibank, United Airlines and Zappos have all gone out and stated that the SSL is extremely secure. Due to these notions, the HTTPS/ SSL interceptions did not even make it to the top 5 privacy threats of 2013. However, recent studies and findings can clearly confirm that the SSL is not as safe as it was deemed to be and that the new Fingerprinting Service can actually go a long way in verifying and securing the data received by users.
You can follow any responses to this entry through the RSS 2.0 feed.
Leave your comment