How secure is https with encryption used by SSL?

Personal Certificates

Since 1996, the VeriSign corporation has been offering “personal certificates” for use with Microsoft and Netscape browsers. A personal certificate is a unique digital ID that can be used to identify you to a Web server and to other users. With a personal certificate, you can send and receive encrypted e-mail messages using the S/MIME system, to verify the identity of the person who sent you an e-mail message, or prove your identity to a Web server.

Personal certificates not widely used on the Web. Their major use is within corporate intranets, where the possession of a certificate is used to control access to confidential information on the corporate Web server. However, many people think that personal certificates will be used in the not-so-distant future as legally binding electronic signatures in Internet-based financial and legal transactions.

How secure are personal certificates? Personal certificates use public key cryptography to sign and authenticate signatures. The security of public key cryptography depends entirely on the secrecy of the user’s private key. When you apply for a digital certificate, a private key is automatically generated for you and saved to the hard disk of your computer. During this generation process, you are prompted for a password, which will be used to encrypt the private key before saving it to disk. This precaution lowers the risk that the key will be intercepted if the computer is compromised either physically or over the network.

Unfortunately this scheme is not foolproof because the private key is only as secure as the software that manipulates it. As described in the sections below, there are numerous known and potential security holes in browser software. If one of these holes is exploited to install new software on your computer or to modify the browser itself, then it is possible for the software to recover the private key from memory after it has been decrypted. Once your private key has been intercepted, it can be used to impersonate you: to gain access to Web sites, to send S/MIME messages in your name, or, at some point in the future, to sign binding legal documents.

In addition to the weaknesses of the software infrastructure, some security consultants have voiced particular concern about the security of the cipher system that Microsoft Internet Explorer uses to encrypt the private key. The issues are obscure, controversial, and differ from version to version of IE. Under some circumstances Internet Explorer can be persuaded to export the private keys using weak 40-bit encryption, a level of encryption that is known to be vulnerable to brute-force key guessing attacks. In other cases, the private key is vulnerable to fast “dictionary” attacks. Full details can be found in an article written by Peter Gutmann:

Next page: Cryptography and the Law

Pages: 1 2 3 4

Category: Need to Concern
Tags: | |

Newer post:
Older post: