Dibs-h":3shejrz2 said:
I hear what you are saying but to be honest - with SSL, most of the certificates supplied are 128 bit...
This is the strength of the key used to generate the certificate date used to verify the URL of a site and prove some textual information about the isuer and owner and a copy of the certificate of the certificate authority.
After the URL has been verified to be the same as the site you are visisting (no matter if ths URL is either
www.amazon.com www.amazom.com as long as it matches) an encryption standard is negotiated an a new random encryption key is generated of any arbitrary number of bits. Which can be as weak as 48 bit or as stong as 768 and higher.
and you can verify the site - any reputable site will have the shop at the root, i.e. the main site will be,
http://www.sometoolshop.com
and the moment you start "shopping" it will be
https://www.sometoolshop.com
the certificate does authenticate the site. Spoofing does exist, but if you take rudimentary steps, your are far less likely to get taken for a ride.
Steps such as,
- do they have a real address and real phone nbr (not some 0870) and does the certificate details match it. Almost all certificate authorities allow you to confirm the cert and who it's issued to, online.
- do you know others who use them
- are they advertisers in sites such as this or in the various mags,
When using the man in the middle scenario I state above:
- you are visiting the real shop through me
- you are dealing with a respectable real shop (or with your own real bank in case of online banking)
- all contact information checks out
- you can sent them emails and get a response from them
- the URL in the address bar is correct:
* while visiting (ie
http://www.amazon.com/)
* while shopping (ie
https://www.amazon.com/)
* while checking out (ie.
https://www.amazon.com/)
- All the information in the dialog that popsup when you double click the padlock is correct.
- The order will proceed as you would expect
- you get all normal confirmation emails from the real shop
Depending on the browser used also
- The padlock remains closed when confirming your payment to me instead of the rela shop
- The URL in the address bar remains correct
- The information in the dialog behind padlock still states your communicating with the real shop instead of me.
If you are want to be super safe - keyloggers etc - I would suggest you download and install Microsoft's Virtual PC. I believe they offer pre-built ones. It's like a PC in a PC and starts up like a real PC, but as an app.
Indeed a very effective method to prevent keylogger etc. About any virtual machine software program can be used for that. Along with having a good and up to date virus scanner and firewall installed and activated.
You use that for surfing and then when you shut it down, you choose not to save any changes. That way any parasites you may have acquired get wiped.
Even the security gurus I know surf this way and off all the ways to surf, it is currently the most secure - short of not surfing.
With the addition that you should not do all your surfing. Start the virtual machine, start the browser and go directly to the shop, order your stuff and shtdown the virtual machine without saving.
Also
- alway use the last version of the browser
- apply all avaialbe update for your operating system and applications
- preferable don't use internet explorer and ootlook
- check the URL, padlock and the information behind the padlock.
- recheck this information when making the payment
- never shop from a public place or a strangers computer
- be aware and cautious of shopping from work esp medium large companies
I've worked for some of the largest acquiring\issuing banks\Visa in the last 10 years and their own networks are extremely secure.
I fully agree to that 100%
As for higher levels of encryption being forbidden - sorry I have to disagree. There are export restrictions to certain countries, but not to Europe. Some of the Microsoft systems we use are currently at 256bit encryption.
It not depended on the location you're at. The ristrictions applied by the software (both at your and the shops end) are dependend on the version and age of the used software and libraries. If you use an older version of browser for instance which was intended to be for used in the US or some other regeons a restriction of either 48 of 64 bit can apply. No matter if you would be physically located in the UK, Sweden or on the moon.
Visa's own internal network uses hardware level encryption which is far superior - I've been involved in the commisioning of some of their systems. Try to even unplug their hardware without the appropriate sets of keys and personel and it physically burns out the entire device in under 20s.
This applies to about all networks of any bank or institute that handle, process or store electronic money transfers. Also plugging in any hardware causes the are of network to shutdown and security to be alerted of the event including the exact location within the building.
This prevent about any possibility of foul play by any employee or visitor of the institute / company. But is does not prevent any event happening between your screen and keyboard and their internet connection.
