2

Particularly ones that are, to some extent, the result of advice given by companies who utilise it, e.g. banks, e-commerce sites etc.

Matt H
  • 464
  • 2
  • 8

4 Answers4

5

Popular misconception: If the lock icon is present, the site is secure.

Reality: No way! At best, SSL protects data from interception while in transit. It does not ensure that the endpoint is trustworthy. There is no guarantee about what the endpoint does to the data once it receives it. As Gene Spafford once wrote,

SSL is like using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box.

Also, there are many situations where the lock icon does not guarantee that data will be secure in transit: e.g., CA failure, organizations that put a picture of a lock icon in the page, mixed content, third-party widgets, sslstrip, and many others.

Popular misconception: If the site looks legit, then it probably is.

Reality: Nope. The look of the site is not a good indicator of its security. It is trivial for a phisher to copy the look and feel of the site onto a spoofed site. This is a case where our intuitions from the physical world lead us astray: it is not easy to set up a fake bank storefront that looks legit, with marble columns and all, but it is trivial to set up a fake banking website that looks legit.

Popular misconception: Anything can be hacked.

Reality: This may not be the best way to think about things. It leads to a defeatist attitude that says, why bother worrying about security, if it is always destined to fail? The reality is that some activities are much safer than others, and with a little bit of attention, one can significantly reduce the likelihood of being exposed to security problems.

Popular misconception: Hacking works like in the movies. Hackers are romantic misfit geniuses who can hack into anything with a few minutes of rapid-fire typing.

Reality: In truth, most attacks come from garden-variety criminals who are trying to make a quick buck by stealing, cheating, and defrauding people. They're hardly super-geniuses; the primary job prerequisite is a willingness to steal, cheat, and lie. They tend to be motivated by monetary considerations: they'll go for the quickest, easiest way to make money. In some cases, they may be associated with organized crime. These are not people to look up to or admire.

Popular misconception: Wireless networks are insecure. Criminals sit around in cybercafes trying to hack into your stuff. However, if you're not using wireless, you'll be fine.

Reality: While some 802.11 wireless networks -- primarily open Wifi and WEP-protected networks -- are a significant security risk, it's not quite that bad. Most attacks come from someone on the other side of the world from you, not from a sketchy-looking dude sitting on the other side of the cafe. Not all wireless networks are created the same. For instance, your 3G connection on your phone is probably considerably harder to intercept or attack than an open Wifi connection. And, you are definitely at risk even if you are not connected to a wireless network; just because you are connecting over a wired network does not mean you are immune to attack.

D.W.
  • 98,860
  • 33
  • 271
  • 588
3

This is one from the top of my head.

Login page on http page which posts to https page is NOT okay

Many websites (including facebook/twitter) display login page on a http page and POST the login credentials to a https page. This is okay so far as the confidentiality of your credentials are concerned but only if you are assured that you were not MITM'ed on the login page. Nothing guarantees that.

People cite computational overhead as a reason for not doing ssl on every page. This theory might need reconsideration after empirical results by google show that SSL/TLS is not computationally expensive any more.

Basically everything else I am going to say further is mentioned in this article: SSL is not about encryption

CodeExpress
  • 2,447
  • 14
  • 10
1

General public does not know of and has no concept of "secure connection", SSL/TLS, secure browsing, encryption or data interception. General public does not care about how technology works, just what it can do for them. They also consider the interface (fx. webpage) to be the sole part of the application, with nothing running behind it. They have no concept of backend services.

The greatest misconception the public has is that even strong security systems can be easily circumvented by a skilled hacker. I get constantly asked whether I could hack into Gmail, Bank, Government, police, whatever. I simply reply that they watch too many movies, that in reality it is much more difficult and requires a lot of dedicated work, which chances of a successful hack being extremely low.

Also relevant: https://xkcd.com/932/

Matrix
  • 4,028
  • 14
  • 25
1

There is one misconception held, not by the "general public", but many people more or less involved in security. It says that: "SSL/TLS has been broken so many times, it is inherently weak".

In reality, SSL/TLS is the most scrutinized transport protocol; whenever some cryptographer thinks about a new way to do chosen ciphertext attacks or things like that, he tries to see if SSL is impacted. Much more rarely will he look at other protocols such as SSH. Thus, if SSL/TLS is the most repaired protocol, it is also the most robust because it has been checked against all known attacks.

Also, many attacks on SSL are actually attacks on X.509, the kind of certificate used by SSL; and most of these attacks are not intrinsic to X.509 but to how common OS/browser vendors handle it (i.e. they allow shady-looking CA to be considered as "trust anchors"). Quite a few of the people who utter the "SSL is broken" mantra are in fact using it as a slogan to channel their refusal of the economic model used by the existing Certification Authorities, so this is politics and very far from the technical merits (or lack thereof) of the SSL/TLS protocol itself.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955