[X4U] Macintosh security (How to protect files and Applications
for stolen computers)
Philip J Robar
pjrobar at areyoureallythatstupid.org
Tue Nov 22 15:11:02 PST 2005
On Nov 22, 2005, at 2:44 PM, David Ledger wrote:
>> From: Richard Gilmore <rgilmor at uwo.ca>
>>
>> Do websites that you enter credit card
>> info use this kind of encryption?
>
> The lock icon on your browser shows that SSL (Secure Socket Layer)
> security is being used. This is an encrypted authenticated link
> using public/private keys. * The padlock tells you that you have a
> safe secure session with whoever owns the certificate that the
> browser has set up the session with. Unless you manually check,
> _you_ cannot be sure that that really is the bank/shop/website that
> you believe it to be. If you start the session by typing in the URL
> of you bank, you can be pretty sure that the certificate belongs to
> the bank. If you follow some link in some email it probably won't
> be. Your session with the crook will be safe and secure :-)
>
> * - information from Secrets & Lies.
TrustBar (http://amirherzberg.com/trustbar/) is a FireFox extension
which deals with this problem:
"Currently, browsers have very limited security indicators,
consisting mainly of a padlock icon displayed in the status bar of
protected sites. Most users are not aware of this indicator, and
certainly not on how to use it. Security experts know: the padlock
indicates that the connection between the browser and the server is
protected under the SSL (or TSL) security protocol, which encrypts
the traffic and authenticate the identity of the server. The
authentication part is tricky (yet critical); how can the browser
authenticate a site? Technically, the solution is based on complex
mechanisms – public key cryptography, digital certificates, etc. –
but we do not need to discuss these, to understand the implications.
Namely: with SSL, the site essentially presents to the browser an
"affidavit" (called a certificate) from an entity (called a
certificate authority) that has identified the site; the affidavit
contains the identity of the site and keys that allow the browser to
validate the site is the right one.
TrustBar displays this information in a simple, concise way, e.g.:
"Gmail identified by VeriSign". The first identifier (e.g. Gmail) is
the name, logo or domain-name of the site; the second identifier is
of the entity that actually authenticated it (e.g. VeriSign, which is
currently the largest Certificate Authority – the technical term for
companies providing these identification services). The user can
assign her own favorite name or logo/icon to each site (even
unprotected sites – although, this does not protect them…). This
makes it much easier for users to detect spoofed (fake) sites, which
will usually be unprotected, and even if protected, will not be able
to display the fake identity (identified by any credible authority)."
Phil
More information about the X4U
mailing list