The Netscape security "key": misleading??

• To: www-security@ns2.rutgers.edu
• Subject: The Netscape security "key": misleading??
• From: dymmd@reuse.asset.com (David Robert Dymm)
• Date: Fri, 29 Mar 1996 09:53:19 -0500 (EST)
• Reply-To: dymmd@source.asset.com

When using Netscape to connect to a secure site, the "key" at the lower
left of the Netscape display changes from broken to solid to indicate that
you are connected to a site with a secure server that understand the SSL
protocol. However I contend that this is misleading to users. 

My understanding is that the SSL protocol provides for the ability of the
browser to encrypt information sent to the server using the server's public
key. In that sense, the connection is secure. However the link from server 
to browser is still insecure. With the SSL protocol, there is no way to
send encrypted information from server to browser. But even if this was
part of the protocol, the server would have to use its private key to
encrypt documents and since the server's "public key" is  public by
definition, then anyone snooping packets on the net could grap the document
and decrypt it.  But do all users understand this when they see the solid 
key indicating a secure connection? Might users not think that the
connection is fully secure in both directions?

Now if we use the S-HTTP protocol and if the browser has a certificate, 
then the server can use the browser's public key to encrypt information 
sent to the browser and only the browser can decrypt it. But this only
works if the browser has a certificate - and probably very few people will
bother to get a certificate.

Comments anyone?

  David Dymm
  dymmd@source.asset.com

• Re: The Netscape security "key": misleading??
• From: Adam Shostack <adam@lighthouse.homeport.org>
• Re: The Netscape security "key": misleading??
• From: Jason Smith <jason@mitre.org>

• Previous: Connection between WWW and database
• Next: Site Scaning & IP graps
• Index(es):
  • Index
  • Thread