> > How can the over-the-air part of the communication be protected
> > using only SSL login on email without a VPN or other encruption?
Because ssl _IS_ a form of encryption.
> As you can see from other posts the security of SSL comes and goes and is
> not under your control. There are even reports of it being spoofed so the
> padlock icon is not an absolute confirmation. The only sure and constant
> security comes with a VPN tunnel. What we have not established is whether
> you really need that level of security.
The Internet is a set of open networks. Once the data traffic
leaves your cable/dsl modem, it can hop onto many routers and
networks controlled by many private companies. You only need one
bad guy in some place to sniff your traffic.
Now, say you purchase the VPN services from a third party company.
(VPNsRus.com) Your traffic going to your bank (abcbank.com) looks
like this:
[ASCII graphics: Use a fixed font + 80 column width to see properly.]
[Your Computer]========================[VPN server at]
[w/ VPN client] [vpnsrus.com ]
|
|
[Your bank ]--- Internet------+
[abcbank.com]
Where double lines (==) are in a VPN (so, traffic is in an
encrypted tunnel) but at the end that traffic must leave
vpnsrus.com (Your VPN provider) and go to abcbank.com in the
open Internet. VPN from this third party provider gives you
encryption only in your side of the network.
Yes, just looking for the https: and the closed padlock sign are
not sufficient to confirm that you are talking to the server you
think you are talking to.
SSL works like this. There are companies such as VeriSign whose
business it is to issue security certificates. These companies are
called Certificate Authorities (CA). CAs have public and private
"signing" certs. Your browser has many public CA certs. (In firefox,
you can see the certs by going to Preferences -> Advanced -> View
Certificates -> Authorities tab)
CAs issue public/private pairs of certs to service providers (banks,
etc.) The public cert is given to asking browsers while the private
cert is used by the server-side only. When your browser contacts
the server at the bank via https, it first asks for the public cert.
The browser then validates that cert using the CA public cert it
already has. It not only validates the cert, but the URL that cert
is supposed to protect. Browser and the server then use the certs
to encrypt the traffic between themselves.
So, a bad guy, in a phishing attempt, can spoof abcbank.com like this:
- register abdbank.com domain name (that's abD, not abC)
- obtain a cert from a major CA for www.abdbank.com
- design https://www.abdbank.com to look exactly like
that of abcbank.com
- send out phishing e-mail to people in HTML with a link
href=https://www.abdbank.com/ but text for that link
as refers to the real abcbank.com.
What that means to you the consumer is that you must verify
not only https and the closed padlock, but the URL also to make
sure you are going to the place you intended. Don't use links
that came in e-mail. Instead, use the bookmarks after typing
it in the first time.
You cannot guard against this form of spoofing by just having
a third party VPN. The VPN service will happily send you to the
spoofed URL in all its encrypted glory.
This isn't to knock the usefulness of VPNs. If your office network
has a VPN server within its own network, then when you connect from
home (with a vpn client) to the VPN server at work, your traffic
from your home to work is encrypted. You don't use your work VPN
to surf the Internet, right? (ie: look at the ASCII picture above)
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************