We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJavier Skiffington
Modified about 1 year ago
Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)
© Copyright Entrust, Inc Overview Browser security Site authentication The history of SSL Extended validation in the browser Extended validation certificates Not a silver bullet
© Copyright Entrust, Inc There’s a problem with the Web Gartner reports … From mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft –an increase of more than 50 percent from the estimated 9.9 million in 2003 The average loss of funds in a case of identity theft was $3,257 in 2006 –up from $1,408 in 2005 An average of 61 percent of funds were recovered, in 2006 –Down from 87 percent in 2005
© Copyright Entrust, Inc New Phishing Sites Morgan Keegan/UBS Jul 2006
© Copyright Entrust, Inc Web vulnerabilities Malicious code HTTP proxy caching Cross-site scripting Man-in-the-middle Site impersonation ISP eavesdropping DNS caching Local area eavesdropping
© Copyright Entrust, Inc First-party accreditation Self-signed SSL certificate –Trust dialog –Help-desk calls Security toolbar
© Copyright Entrust, Inc Browser toolbars
© Copyright Entrust, Inc Third-party accreditation SSL certificates
© Copyright Entrust, Inc The early years (mid 90s) Threats to the Web –Site defacement –ISP eavesdropping Netscape developed SSL Simple trust indicators –Look for the golden key or padlock to check that you are safe Computer-literate users URL that reflects the name of the organization Common issuing practices –VeriSign Class 3 Although … –There were no strict criteria for the use and management of roots in browsers
© Copyright Entrust, Inc Mid-life (2000 – 2001) ABA 1 developed PKI Assessment Guidelines Audit profession recognized a need for criteria AICPA 2 & CICA 3 Audit criteria “WebTrust for CAs” Similar standard in Europe : ETSI 4 TS Adopted by Microsoft as a requirement for including roots in Windows –Other browser suppliers followed Microsoft’s lead But … –There were serious omissions –Do not specify what identifying information has to be included in a certificate –Or how to validate that that information is correct –Users supposed review CPS 1 American Bar Association 2 American Institute of Certified Public Accountants 3Canadian Institute of Chartered Accountants 4 European Telecommunication Standards Institute
© Copyright Entrust, Inc The SSL certificate marketplace Rigour (= cost, delay, inconvenience) Price GoDaddy GeoTrust VeriSign Entrust Other CAs: Comodo, CyberTrust, DigiCert, Ipsca, Notaris, QuoVadis, Trustis, XRamp All certificates cause the lock to display Domain-validate certificates Organizationally-validated certificates
© Copyright Entrust, Inc Trust indicators Yellow address bar Golden padlock
© Copyright Entrust, Inc Evidence of a problem Domain-validated SSL certificates have been issued to phishing sites User confusion –Does the golden padlock mean I’m secure? –Does SSL provide authentication or just confidentiality?
© Copyright Entrust, Inc CA / Browser Forum (2005) Major CAs and browser suppliers got together Formed the CA / Browser Forum Objective – Improve trustworthiness of the Web Project to develop certificate issuance guidelines for new browser trust indicators Microsoft has adopted an interim draft of the CABForum guidelines as the criteria for inclusion in their root embedding program
© Copyright Entrust, Inc IE7 Phishing filter and EV SSL Phishing, Suspected phishing, HTTP, HTTPS, EV
© Copyright Entrust, Inc IE7 UI details Green address bar Golden padlock Assumed name, registered name and country alternating with the issuer’s name
© Copyright Entrust, Inc Opera 9
© Copyright Entrust, Inc The SSL Marketplace - after EV (two points of view) Very high thresholdModerate threshold Conventional SSL EV SSL
© Copyright Entrust, Inc EV certificate Identified by … –Particular certificate policy identifier Verified contents … –Registered name e.g. ACE Aviation Holdings Inc –Assumed name e.g. Air Canada –Domain name e.g. –Place of business address –Jurisdiction of incorporation –Registration number Note: The CA must also retain verified name and contact details for the applicant
© Copyright Entrust, Inc Verification requirements Legal existence –Government registry Operational existence –Trade accounts –Bank letter –Legal opinion –Accountant’s letter Physical existence –Trade accounts –Site visits Domain name –WHOIS –Practical demonstration
© Copyright Entrust, Inc Other requirements Revocation –Browsers will check for revocation by default, using OCSP, once “stapling” becomes widely available Identification and authentication of requestor/approver Verification of authority of requestor/approver Warranty by CA to subscribers, users and browser suppliers Errors and omissions insurance
© Copyright Entrust, Inc It’s no good if users don’t check! EV sites place this graphic on their publicity material, including the Web site The message isn’t ‘if you see green you are safe’ It just reminds the user to check the site identity in the location bar
© Copyright Entrust, Inc It’s not foolproof – picture-in-picture
© Copyright Entrust, Inc Conclusion Browser security has significant shortcomings EV SSL represents a dramatic improvement It isn’t foolproof User awareness remains a critical issue Initial marketplace reaction appears positive For more information:-
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
+1 (801) Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.
High Assurance / Enhanced Validation Name of Presenter: Kevin Brown Date: August 5th Confidential.
1. Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate. 27 Users in 3 groups classified 12 web.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
QuoVadis Group Overview for EUGridPMA. Snapshot Trust/Link certificate services for the global enterprise –Digital certificates including End User, Qualified,
A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
QuoVadis Group EUGridPMA Update September Overview ► Founded in 1999 in Bermuda, with particular focus providing PKI managed services to multinational.
An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.
Internet Phishing Not the kind of Fishing you are used to.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Phillip Hallam-Baker Extended Validation Presentation to ISTTF September 23, 2008 VeriSign/Extended Validation ISTTF Presentation 9/23/2008.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Security Overview System protection requirements areas Types of information protection Information Architecture dimensions Public Key Infrastructure.
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 12 Advanced Cryptography.
PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.
SSL Certificates for Secure Websites Dan Roberts Kent Network Users Group Wednesday, 17 March 2004.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Maximize Your Hosting Business: Covering all your SSL requirements Tim Callan May 31, 2006 VeriSign / thawte Confidential.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
The Secure Modern Desktop Keeping the Phish in the Sea.
PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Chapter 4 Application Security Knowledge and Test Prep Press F5 Grab a pen / pencil and paper Jot the answer down for each question. The answers will appear.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
McLean HIGHER COMPUTER NETWORKING Lesson 8 E-Commerce Explanation of ISP Description of E-commerce Description of E-sales.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Information Security 2013 Roadshow. Roadshow Outline Why We Care About Information Security Safe Computing Recognize a Secure Web Site (HTTPS) How.
Web SecurityIdentity Verification Services Signing Services Enterprise Security © 2007 GeoTrust, Inc. All rights reserved. How SSL is Changing to Increase.
© 2017 SlidePlayer.com Inc. All rights reserved.