|
|
SLAC Computer Security | ||
| SLAC Home | Computing Home | Computing Outages | Help | |||
Cyber Security Awareness Month
These tips are part of a month long effort to distribute useful computer security information to the SLAC community.
- Day 23 - Using Browsers, SSL, Domain Names
Some common sense suggestions and best practices from the Internet Storm Center:
Today's issue revolves around trust, implied, explicit, and undeserved. AKA the bad, the worse, and rather ugly. The question is, can a web server be trusted, and under what conditions? Can a web browser determine the trust value assigned to a web server, and what are the criteria for doing so? What reputation can be assigned to the URL based on IP address, SSL certificate, domain name or other parameters? What is the paradigm for using the Internet for business?
Webservers can rarely be completely trusted.
Conditions where I trust a webserver:
- I type in the address ( no autocomplete! )
- I'm using an appropriate browser, like Firefox with NoScript. (or, if I have to, Internet Explorer - with every security flag that doesn't break the website turned on)
- I've probably used this website before. (no kissing on a first date!)
- They don't ask me for information (at least not info I hadn't expected)
Things that would make me suspicious or mistrusting:
- pop ups, pop-unders, redirection or unexpected/unexplained script (especially script errors)
- is the website a non .org/.com ?
- a hidden or vaguely written privacy policy
- expired or invalid SSL certificates
- self-issued SSL certificates
Browser Helpers:Roseman writes "you do not yet mention any browser extensions, such as Netcraft Toolbar or McAfee SiteAdvisor, which by themselves would not guarantee a site is good just because they don't complain, but they do add another layer to the "defense-in-layers" when it comes to identifying spoofed logon sites".
Seals:
I'm not sure if this is related to what you are discussing with SSL certificates, but I have noticed in the last year-plus the different levels of SSL certificates available. At first, I thought it was a level of encryption, but it turned out to be a level of validation to the certificate holder ... and all the validation (paperwork) that goes into it. The site gets a Seal, but who doesn't have a Seal now-a-days validating something?
These seals are not like the Mastercard or Visa logo that you have a level of expectation. Some site can have a seal that says "Safe'n'Secure Computing for the last 30+ days" or whatever, but who is doing the validating and how tough are their requirements to get validated. Plus, I'm sure I have visited legitimate sites that don't display a seal .. and my transaction has been fine. And who has the better "sealing" process.
I know some organizations are doing a lot more to protect the information once they have it (not storing the information in plain text/etc) and I'm sure some seals validate that procedure as well (or at least I would think -- maybe not).
SSL Certificates:
A few years ago, the rule was don't buy anything online unless you see the lock (or equivalent icon). Now that may not be holding true much longer (if an SSL certificate is easy to get). Unless there is some behind-the-scenes process that stops a hacker from getting an SSL certificate that I'm not aware of.
Owner: SLAC Computer Security |
