• Information Resources
• Blog
• SSL is supposed to solve two problems but most people only care about one of them

SSL is supposed to solve two problems but most people only care about one of them

One of my esteemed colleagues and a member of the Oxy Web Team, wrote a post about how to get rid of a particularly annoying pop-up alert present in Internet Explorer 8 (and older versions). But what she neglected to do was spin an incredibly boring and technical tale about what that error message is all about.

Surely, you're dying to hear more.In the beginning, there was the web. Later on, some folks decided the web needed to be secure. They developed something called SSL which was designed to solve two problems:

1. Encrypt traffic between a web browser and a web server so that sensitive information could be passed securely.
2. Give the web browser a way to determine if the web server is actually owned and operated by the organization it purported to be owned by.

Problem #1 is generally seen as the more important of the two problems, largely due to the fact that most folks already understand how wiretapping works and the risks that come with it. Problem #2 has no real analogue in the physical world that most people can relate to. When you go to an Apple store and buy an iPhone, there's no doubt that you are in a building owned by Apple and selling genuine Apple products (for the sake of this analogy, pretend China doesn't exist for a moment). On the web, though, you could be at a site that looks like it was made by Apple and appears to be selling Apple products but might actually be run by some kid in Slovenia for all you know. So SSL also includes a mechanism that allows you to validate the owner of a site. Think of it as the opposite of how cashiers ask for your ID when you buy stuff using a credit card - instead, you're also asking the cashier for their ID to prove they're Apple Store employees and not some random dude wearing a polo shirt and skimming credit card numbers. The problem, though, is the same problem you get with ID checking - it takes a lot of time. So much so that you stop doing it consistently. You only use SSL for some parts of the page and not others. You can encrypt the login page only, for example, like a hypothetical Apple store where only the cashiers get IDs. The person taking your credit card is legit but who knows if the sales person is selling you a legit product? Of course, SSL's value as the "ID card for the web" started to diminish as well. As with physical IDs, hackers can generate fakes. And despite the fact that it's not necessarily a good idea, the cool kids started to cut back on where they used SSL and eventually, the world had to follow suit. Internet Explorer's error message, once a message that conveyed actual risk, was now more of a nuisance. Internet Explorer 9, for example, still pops up a warning but you now don't have to click on it to use the webpage and it's all the way at the bottom of the page. Chrome gives you a small, albeit somewhat alarming visual cue:

Firefox is the most subtle of all.

In practical terms, SSL was never all that useful as its creators hoped it would be for ferreting out fraudulent websites. Largely, this was due to the fact that good technology can't stop bad people. In the end, there's no single, clear way to determine if a site is fake or not. You just have to use your best judgement and stay alert. Anyone who tells you any different is just trying to sell you a bridge.