Log In / Register
What are the risks to SSL, TSL, HTTPS?

Hyper Text Transfer Protocol Secure (HTTPS) is the method of communicating between servers and browsers, it uses SSL/TLS.

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are often both referred to as SSL.

There are two inherent risks in SSL (TLS, HTTPS).

  1. SSL could fail.
  2. There could be a fake certificate or authority on your device

SSL could fail

Just a couple years ago, in 2014, SSL version 3.0 was broken, and the industry had to come up with a new method of keeping internet communications secure. Hence TLS was created, and quickly version 1.0 became 1.1, which then became 1.2. Which is the current standard, and is believed to be impenetrable.

But then SSL 2.0 was thought to be impenetrable

3rdKey.com doesn't rely on SSL alone, we encrypt the communication further, through our own algorithm, and require your 3rd key to decipher the communication.

There could be a fake certificate or authority on your device

Any secure communication that relies on a Certificate Authority can be breached if someone using the browser has seen a certificate warning and clicked "use this web site anyway".

Sometimes this can "mean that the Web surfer is being redirected somehow to a fake Web site."
--ComputerWorld

3rdKey.com doesn't rely on SSL alone, we encrypt the communication further, through our own algorithm, and require your 3rd key to decipher the communication.

And here is where it gets really scary... You go to a web site that you trust, and get a certificate warning, and because you trust the site, you accept the certificate and click through.

You have also accepted the Certificate Authority that signed that certificate.

This means that any other certificate signed by that Certificate Authority (real or fake) will now be accepted at any site you visit, or any Man-In-The-Middle attacker that intercepts your communication (like a public WiFi).

Or, if you are using an internet cafe, someone else, some time in the past, could have clicked through to a web site accepting a certificate and Certificate Authority, that now means that you accept a certificate that is not for the site you are visiting.

3rdKey.com doesn't rely on SSL alone, we encrypt the communication further, through our own algorithm, and require your 3rd key to decipher the communication.

Sources: Microsoft / digicert / ComputerWorld / InMotionHosting / MakeUseOf


 
Home Log In Register FAQ