By Bri Hatch.
Summary: Although SSL does provide an encrypted layer of protection to Web transactions, it is not the answer to every security concern. This week, Bri overviews SSL and casts a critical eye on its advantages and disadvantage.
Anyone who has filed out their personal or billing info online has likely entered it via a 'secure Web server'. You can tell the transmission is secure because the URL reads 'https://...' instead of http. SSL , the secure sockets layer protocol, is the 'S' in HTTPS. 
The beauty of SSL is its integration into most Web browsers, where it invisibly encrypts Web transactions and prevents any attacker in the middle from seeing the data you send and receive. Attackers can see that you are making a connection to the remote system, but not the transmission's content itself. SSL even authenticates the server, so when you hit https://microsoft.com/jobs/stop_bugging_me.asp, you know that you are talking to the Evil Empire and no cracker could be positioned between you, intercepting or modifying the packets.
Unfortunately, many folks look at SSL as the magic answer to all security concerns. Every three months or so, I find myself giving a discussion about what SSL does and does not protect.
That's it, and nothing else. In fact, if you got a warning about a certificate problem and you blindly click, 'Ok, ok, sure, whatever, yeah', then you aren't even guaranteed the above two points.
Now let's see a partial list of things that SSL does not protect you from:
You may feel that many of the things I listed above are obvious. For that matter, you may feel offended that I'd even mention some of them. However I find that people are often confused, and don't realize where the security of SSL begins and ends. This usually results in hours of bickering about security needs before we figure out exactly where the faulty assumptions came from.
 TLS, the Transport Layer Security protocol, is the latest/greatest version of SSL, but it's not as widely available in browsers so most folks still just say SSL. However SSL/TLS is more accurate.
 Now how much you trust the folks who wrote your browser is a different question all together.
Bri Hatch is Chief Hacker at Onsight, Inc, author of Hacking Linux Exposed and Building Linux VPNs, and the maintainer of http://www.stunnel.org, home to Stunnel, the Universal SSL Wrapper. He likes SSL, really. He just doesn't like seeing it abused, mistreated, or expected to cure cancer. Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2002.
This article was first published here in ITworld.com Inc., 118 Turnpike Rd., Southborough, MA 01772 on 23-Apr-2002.