Using SSL To Improve Internet Security – A Simple Idea

Posted by jerry as Security, technology

I was headed out with my son today to one of the local jump/bounce places for the birthday party of a neighborhood kid. Having been to these places before, I know that they generally offer free wifi access. I packed up my laptop, thinking that I could work on some web site issues I have been trying to fix.

I got to thinking about the risks of someone sniffing my logins to the sites. That reminded me of a post I wrote recently about an idea to conserve IP addresses. Most of my sites are hosted on a shared IP address on my server. I simply don’t have enough IP addresses to cover all of my sites. Without dedicating an IP address for each, using SSL is simply not possible.

The vast majority of web sites do not have SSL capabilities, in the same way that mine do not.  At the same time, the instances of hacking, snooping and data theft are spiraling out of control.  As well, the “Starbucks” culture of camping out in a restaurant to surf the web on a laptop is growing, leading to many more opportunities for the trivial capture of passwords and other sensitive data.

Certainly, financial data such as credit cards and logins to financial institutions are generally well protected by SSL.  The types of information that can be lost at the local coffee shop is more likely to be a facebook username and password, or the username and password to a webmail account.  Useful to the hacker, and damaging to the victim, but not at the same level of severity as a credit card number.

So, in a nutshell, modifying the SSL protocol to allow for the negotiation of the requested domain *before* the SSL tunnel is established has another advantage – allowing sites on shared IP’s to use SSL to protect the private information of the users of a site.

It seems to me that the certificate authorities would jump at supporting this idea – it opens a substantially large new market.