We know for an absolute fact that communicating over the internet can be abolutely private. Otherwise, online banking would not work. What Is The Forumla for Secure Communication on the Internet? For communications to absolutely secure, this is what you need: Encryption of the messages going back and forth between your computer and whomever you are communicating with Authentication that the other end of the line is who you think it is. Encryption No one can translate encrypted messages to something humans can understand without the encryption key. When it comes to your browser, that means no one can read the messages except your browser and the server you are communicating with. If your browser says https:// in the address bar, then your browser traffic is encrypted. Authentication of Who Is At The Other End of the Line Authentication is accomplished by third-party ssl certificates. Basically, there are a small number of companies that have been certified by the Internet Gods to issue encryption keys, called SSL Certificates. Websites have to buy these certificates, and put them certificate onto the server to which they have been issued. When a browser sends a request to the internet for a site with https://, it gets the encryption key from the webserver and then, behind the scenes, sends a message to the certificate issuer, and says, "Yo, is this certificate legitimate?" The certificate issuer uses the encryption key from the certificate to look in its private database to see if the all the details of the deal match their records. Making a fake certificate doesn't work, because you cannot put a fake entry into the certificate issuer's database. Question: If your communcation is encrypted and you are certain of who is at the other end of the communication, how can your communication be read by anyone else? Answer: it can't be read by anyone else. This is why browsers go nuts when you access https:// on a web server without a third-party ssl certificate. You can see what I mean by "browser goes nuts" by visiting the plesk installation of our new dev server. You have not been there before, so if you go now, to this link, you will get browser warnings. Chrome makes it look dire: To get to the plesk installation, you have to click Advanced, which brings up this frightening message: What that note does not say is this true statement, This may be caused by the fact that Dan did not put a third-party ssl certificate onto this server.. Proceed to 162.254.25.124 (chance of a problem is less than chance of being hit by lightening during clear weather) Real Security We need a word for the syndrome that says never to login as root, because it applies here to a degree. For now, I am calling that syndrome "blind security," referring to security practices followed blindly by enough computer specialists that make them rules that must be followed to avoid contempt or criticism. Blind security is safe, but not always required for security. There are safe exceptions to blind security, available to people who can see what is going on. The main thing to know on this topic: http:// is not secure. https:// plus third-party certificate is secure. http:// Communications with http:// are in plain text. That means that anyone with access to any link in the connection between a browser and webserver can read everything. That is why passwords are supposed to never be transmitted on http:// Blind security makes a huge deal out of this. I am ambivalent. Can you find any cases of passwords or other sensitive information being stolen by people reading network traffic that is not directed to them? How can someone read network traffic not sent directly to them? The intruder would have to plug into data centeres of internet traffic carriers. That requires passwords. Bottom line: the only people who could do this would be employees of internet traffic carriers. Can you find any cases of this happening? The real way that network traffic is stolen is that someone gets hold of your password. There are three ways to steal a password: Get hold of your computer Trick you into giving it up Steal data from a webserver that has your password. The biggest risk is if you use the same password for a lot of different accounts and webites. If someone steals data from any one of those sites, they would have your password for all of them. That happened to Holly some time ago, and that is why she never uses the same password for multiple accounts. *zero-risk practices are security measures that cannot be defeated without the right password. Encrypted web communications are zero-risk, because no one can crack encyption. The reason I say no one can crack encryption is that the best encryption crackers, the National Security Agency, shows every sign that they cannot crack encryption on seized computers. It's possible they are running deception on this, not revealing an ability to crack encryption, but there has been no challenge to their public claims of being unable to crack good encryption. When Edward Snowden was blowing the NSA's secrets, a reporter close to Snowden was detained at an airport and his laptop seized. The government coerced this guy to give up the password to his encryption.. He never gave it up and the government said they could nto read his laptop without it. There is a substantial body of corroborating information along this line and not a single report indicating the contrary. The bottom line is that good encryption cannot be broken, so I am calling use of good encryption a zero-risk security measure. This is why online banking is safe. Communications with the bank are via https:// and the bank's server is authenticated as being the bank's.
