Tom Pittman's WebLog

2014 May 29 -- "Secure" Websites

I went to a website the other day, and they wouldn't let me on. What actually happened is, they insisted on encrypting the data using an encryption formula my browser did not recognize, which is the same thing. It never ceases to amaze me that companies professing to do business with the public would want to lock out potential customers. It's like a restaurant turning customers away, "I'm sorry, you can't eat here unless you drive a late-model Rolls Royce."

It used to be that a few websites would make their data unavailable to the general public, but most of them were open to all comers. I simply didn't patronize the exclusive snob sites. But more and more sites are locking up their pages from public view, or hiding them behind virus technology (which I also refuse to allow on my computer). Archive.org (no link: they don't want you) is one of those sites I used to frequent, but is now locking the general public out. So I bought a sandboxed computer for when it's necessary to go places like that, but it's an ugly system (OSX), slow and very hard to use.

I can imagine what the webmasters are thinking: "Secure sockets layer (SSL) means that data transfer is safe from hijacking," but they are wrong. SSL is only as safe as the encryption formulas used -- the NSA and China and probably Russia and England all have computers that can crack anything out there, and what they have today, the rest of the world will have in a couple years. Worse, it is only as trustworthy as whatever Certificate Authorities granted the certificates your browser accepts. Do you know who they are? Do you trust people you never met and who are not subject to any laws (except China; I couldn't find any other country with laws requiring anything at all of them) but their own internal policies? I don't, and you shouldn't either.

I removed from my browser all the certificates from anybody I don't personally trust. As a result, all the websites that require SSL for access force my browser to go through a certificate creation protocol. It's not any more secure than the predefined certificates, but at least the hassle puts me on notice that they think it's secure.

So-called "digital signatures" use the same technology, and are no more secure, but there are laws now in places (in the USA) which accept them as binding, nevermind that (unlike a handwritten signature) anybody with sufficient technology can steal (forge) them. For the Record, I will never willingly offer a digital signature as proof of anything, and I reserve the right to repudiate any digital signature that claims to have come from me.

For more information on the whole problem, see Bruce Schneier's paper "What You're not Being Told about Public Key Infrastructure". Schneier is an acknowledged expert on cryptography, and he basically debunks the process. Despite his cautions, his paper is on a SSL web page, as if that did anything useful (by his own admission, not). Go figure.
 

Links:

Complete Blog Index
Itty Bitty Computers home page