SSL is a protocol (language) that describes how a client (your PC) and server (the web site) can communicate safely and securely. SSL uses a variety of standard encryption algorithms including the government and banking standard of DES, and several RSA algorithms including RC4.
SSL secures the data by enabling the client/server to securely exchange a secret number known as a ‘Master_Key’. In general the larger the size of the key, the more secure the SSL-enabled application will be.
After the key is securely shared, the client and server use this to create a different set of keys called ‘Session Keys’. These keys are used with a specified cryptographic algorithm to encode and decode the contents.
The current SSL implementation also limits the lifetime of the key to no more than 100 seconds. The Session Keys are only ever valid for a single communications session.
All the above details increase the security of the data which is transmitted, so..
To compromise the security of SSL you have to be able to find or guess the key for a given session, so with a 40-bit number, guessing is almost impossible. To find the correct key you would have to systematically and exhaustively search for every possible key until you found one that allowed you to decode the particular communications session.
Because the keys are valid for only one session, the exhaustive search would produce a key that was only good for decoding one session. You would have to randomly choose one communications session from the millions being sent through the Internet every minute, and hope that it contains information valuable enough to justify the time, effort and money it would take to compromise the session.
A ‘hacker’ publicly announced that he had cracked the SSL encryption, and that it was not safe. However he claims to have used 111 very fast UNIX workstations and 1 supercomputer to find the 40-bit key that allowed him to decrypt a session that was previously saved off the Internet.
It allegedly took eight days to accomplish their task. To recreate this effort for exploitative or malicious purposes it would cost approximately $10,000 and take the same eight days to decrypt this one session. So, every time you tried to crack a random session it would cost you at least $10,000, and eight days! This is not including the cost of all the workstations and the supercomputer, which are not exactly things you pick up at ‘PC World’..!
The information obtained as a result of decrypting this session was someone's name, address, and a list of items they were trying to purchase online. This information is hardly worth the time and expense it took to obtain it. Even if there had been a credit card number obtained as a result of this attack the value of that card number would, in most cases, be less than $10,000.
There is a 128-bit key that is available, which makes secure-ordering even more secure – however:
New technology is being announced all the time, and you can be assured that the JarreCon web site will use the most secure methods possible to ensure your personal data is not compromised in any way.
Q: My Credit Card company does not recommend sending my credit card details over the internet – why not?
A: We know some credit card companies do not recommend sending details over the internet - but also some do not recommend making orders over telephone/fax, but we do this all the time when booking tickets for the cinema, concerts etc!
Unfortunately like everything in life, if someone wants to get hold of something, with the right equipment and knowledge they can get it.. However it is *very* expensive to do! A technical breakdown of this is in the main section above under ‘Cracking the code!’.
It is best to use your own judgement as to whether it is secure to give your credit card details to someone - in the same way you wouldn't give your details to just anyone over the phone, be vigilant and make sure the web site uses the SSL protocol to send your credit card details.
An easy way to check this is to see if there is a 'lock' image in your browser window. If you are on a secure site (like the secure ordering page at JarreCon) then you will see a complete lock icon. If you do not see this, then the page is insecure and could compromise your data!
Q: I am still unhappy about sending my details over the Internet – how do I order tickets for JarreCon ’98?
A: There is an order form specifically for use for postal / fax orders, or you can telephone the order too. The number is on the same page (use the link above).
If you have any more questions about secure ordering, then don’t hesitate to Email us at: jarrecon@jarre.force9.co.uk
Page compiled from information on the Netscape web site (http://www.netscape.com), and general information. Thanks to Harrie Reinders and Paul Smith for their input.
