Why SSL is not enough?

SSL is encryption of the data while its in transfer. You can easily recognize a page that uses it because the URL starts with HTTPS instead of HTTP. It is very useful for attacks such as man in the middle attack. In fact it's a good technology than can help you in a few different ways.

The only problem with SSL it that it is sold as the ultimate security measure. which is not the case. This creates a false sense of security which we have said many times before is worse than being insecure.
This miss leading publicity that the SSL certificate sellers have established makes many uninformed website owners think that their site is secure just because they have SSL. This makes them not think again if injection attacks or cross site attacks or any other attack would be possible.
Even when when security professional warn them about the security holes they completely deny then and say thing like "this is not possible, I have SSL".

So lets see what HTTPS can do for your security and what it can't do.
When you are connected to the internet with a wifi connection and you fill out a form on a website that does not use this technology a hacker can intercept that information and see what the person is filling into the form, this can contain, passwords, credit card info, bank info and personal information.
If the site does use SSL then this information that the client filled into the form is encrypted and the hacker can still see it but its encrypted and impossible to understand.

It does not change what the person writes into the form so if the hacker is the one filling out the form of a website. His intention is to insert some input lets say in the name field in order that the application is fooled to think that the input is part of the code. In this way a hacker can make the application spit out information that is should not give out.
It does not matter if the page uses SSL or not this can be done with both. Since the hackers input is encrypted when he sends it and decrypted into exactly the same input as he put in originally when it come back to the webpage.
The result is that every injection attack is possible in a page using HTTPS.

In a nutshell SSL sets a small security layer for the users for the site but none for the websites and database. We recommend you use it but you need much more for to have a secure site.



Contact us