This week I contributed to the The Security Catalyst's Security Friday Fast Facts . Below I have reprinted the original article.
How does Secure Sockets Layer (SSL) protect me? Well, unless you understand network traffic, encryption, and web applications then you probably do not know the answer to this question. Fortunately, if you are reading this you probably do understand how SSL works as well as the benefits and problems in its design. If you do understand I want you to do something when you finish reading this article. Stand up, step outside your office or cubicle so that you can see other people, and ask yourself if those people understand how SSL is designed to protect them. Notice anybody who does not?
Here is where the Trusted Catalysts challenge you. We would like you to walk over to a person, or better yet, get a group of people together and have a group discussion about this technology. To facilitate this conversation here are a few points to help you:
• Keep the conversation simple; avoid getting too technical, and do not talk down to anybody who does not understand. They will when you are done, so be patient. If you are in a group let others interject with their experiences and anecdotes. Group discussions are always better learning environments.
• Describe how SSL is a shared secret between their browser and the computer at the other end of the connection. Although the traffic will flow through other computers and devices on the Internet the only thing they will see is a bunch of numbers, letters, and characters that do not make sense. Show them how to look for the “https” portion of the URL within the browser’s address bar.
• Explain that although the communication is protected the data stored on the other system might not be given the same consideration. Suggest that they only provide information to sites that they specifically trust (double check those URLs). Also, emphasize that if they are prompted to permit the storage of their personal or credit card information they should NOT allow it.
• Talk about sites whose certificates produce an error window which will require end user interaction to continue. Let them know that they must read the message to determine if they would like to continue with the transaction. A good example site for demonstration purposes is the Center for Internet Security. When you navigate to https://www.cisecurity.org the error window pops up because they are using the certificate that has been validated for the SANS.org domain. Not a problem here but it IS a problem if you are unfamiliar with the site.
• A good way to finish the conversation is to cover what to do if a person feels bad about a transaction. Talk about how these people should immediately contact their bank or credit card company and talk to them about the situation. These companies usually have very helpful departments dedicated to protecting accounts from fraud and monitoring them for strange or unauthorized behavior.
Now, don’t you feel better about yourself? You have become a catalyst within your environment.
Go forth and do good things,
Cutaway
TCC, SSL, SANS, FFF, Security Ripcord, Security Catalyst
