So, everything is ok?
Really, due to item 3 we have strong belief that our browser talks to the server we want. And everything is ciphered with good enough protocols to be sure that no one is eavesdropping our conversation. Why not to celebrate the resounding victory over hackers of all shapes and sizes? There are reasons for this, unfortunately.
Firstly, if user is working from a computer which is not under the user’s control, suppose it is in an internet cafe or is contaminated with a virus, then user cannot be sure in answers to any of the following questions:
1) Who is on the other side of his communication? Really, if it is not yours computer you cannot know what changes were made to its software. You cannot be sure that the list of trusted certificates on this computer is intact and don’t contain any unauthorized by you changes. So your computer may occur to trust any of hacker sites.
2) Is the user’s traffic being eavesdropping? If it’s not a computer of yours or it is contaminated then there are different possibilities to read your data exchange:
- There may be installed key loggers which are able to read your data input from the keyboard, including web-bank credentials if your bank accepts them as a keystroke.
- There may be installed a software which reads data before it gets encrypted or after it is deciphered.
- If your trusted root certificates are modified you may become a subject to so called HTTPS forward inspection, which provides the hacker with the possibility to read traffic between you and your “secure" server.
3) Is that really the server user wants to communicate with? Again, your trusted certificates list may be changed and even connecting to the rogue server you won’t receive any warnings.
So the solution is obvious: do not work with important information on the computer which doesn’t belong to you, be careful about viruses and do not let anyone to access your computer. But there are threats even to people understanding and following these rules:
1) The user can go to the wrong site, typing it with a mistake or following rogue link. Suppose you go to https://www.mlcrosoft.com – it’s not always easy to distinguish it from https://www.microsoft.com which is the right URL. And mlcrosoft.com (with L instead of i) may belong to the hacker, who bought a proper certificate to the site. Proper does mean that it registered to mlcrosoft.com and is issued by a trusted certification authority like VeriSign. So if you go to the fake site you won’t be given any warning and may easily to post you credentials or your data to the hacker.
2) The site itself may be hacked even if it is really an official one. So even accessing the right site with a proper certificate you may receive harm from it.
3) Even your own computer may be contaminated by virus which prevents the protection from protecting anything.
So take care of your data and try to follow simple rules at least when you are working with a sensitive data:
1) Do nothing with the sensitive data on computers which don’t belong to you.
2) Do not allow other people to get physical access to your computer or access with administrative privileges over network. From the rule follow the necessity to keep strong password, install and maintain some firewall solutions, etc…
3) Protect your computer as long as it is possible from malware.
4) When accessing the site always check the URL thoroughly. Most of modern browsers help to do so by highlighting the high-level domain name of the site so that you now clearly see that you are accessing www.microsoft.com.hacker.com rather than www.microsoft.com.
5) Do not ignore ay warnings about certificate checking errors. Some of them tell you that the site is, at least, configured wrong.