We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJavier Skiffington
Modified about 1 year ago
Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)
© Copyright Entrust, Inc Overview Browser security Site authentication The history of SSL Extended validation in the browser Extended validation certificates Not a silver bullet
© Copyright Entrust, Inc There’s a problem with the Web Gartner reports … From mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft –an increase of more than 50 percent from the estimated 9.9 million in 2003 The average loss of funds in a case of identity theft was $3,257 in 2006 –up from $1,408 in 2005 An average of 61 percent of funds were recovered, in 2006 –Down from 87 percent in 2005
© Copyright Entrust, Inc New Phishing Sites Morgan Keegan/UBS Jul 2006
© Copyright Entrust, Inc Web vulnerabilities Malicious code HTTP proxy caching Cross-site scripting Man-in-the-middle Site impersonation ISP eavesdropping DNS caching Local area eavesdropping
© Copyright Entrust, Inc First-party accreditation Self-signed SSL certificate –Trust dialog –Help-desk calls Security toolbar
© Copyright Entrust, Inc Browser toolbars
© Copyright Entrust, Inc Third-party accreditation SSL certificates
© Copyright Entrust, Inc The early years (mid 90s) Threats to the Web –Site defacement –ISP eavesdropping Netscape developed SSL Simple trust indicators –Look for the golden key or padlock to check that you are safe Computer-literate users URL that reflects the name of the organization Common issuing practices –VeriSign Class 3 Although … –There were no strict criteria for the use and management of roots in browsers
© Copyright Entrust, Inc Mid-life (2000 – 2001) ABA 1 developed PKI Assessment Guidelines Audit profession recognized a need for criteria AICPA 2 & CICA 3 Audit criteria “WebTrust for CAs” Similar standard in Europe : ETSI 4 TS Adopted by Microsoft as a requirement for including roots in Windows –Other browser suppliers followed Microsoft’s lead But … –There were serious omissions –Do not specify what identifying information has to be included in a certificate –Or how to validate that that information is correct –Users supposed review CPS 1 American Bar Association 2 American Institute of Certified Public Accountants 3Canadian Institute of Chartered Accountants 4 European Telecommunication Standards Institute
© Copyright Entrust, Inc The SSL certificate marketplace Rigour (= cost, delay, inconvenience) Price GoDaddy GeoTrust VeriSign Entrust Other CAs: Comodo, CyberTrust, DigiCert, Ipsca, Notaris, QuoVadis, Trustis, XRamp All certificates cause the lock to display Domain-validate certificates Organizationally-validated certificates
© Copyright Entrust, Inc Trust indicators Yellow address bar Golden padlock
© Copyright Entrust, Inc Evidence of a problem Domain-validated SSL certificates have been issued to phishing sites User confusion –Does the golden padlock mean I’m secure? –Does SSL provide authentication or just confidentiality?
© Copyright Entrust, Inc CA / Browser Forum (2005) Major CAs and browser suppliers got together Formed the CA / Browser Forum Objective – Improve trustworthiness of the Web Project to develop certificate issuance guidelines for new browser trust indicators Microsoft has adopted an interim draft of the CABForum guidelines as the criteria for inclusion in their root embedding program
© Copyright Entrust, Inc IE7 Phishing filter and EV SSL Phishing, Suspected phishing, HTTP, HTTPS, EV
© Copyright Entrust, Inc IE7 UI details Green address bar Golden padlock Assumed name, registered name and country alternating with the issuer’s name
© Copyright Entrust, Inc Opera 9
© Copyright Entrust, Inc The SSL Marketplace - after EV (two points of view) Very high thresholdModerate threshold Conventional SSL EV SSL
© Copyright Entrust, Inc EV certificate Identified by … –Particular certificate policy identifier Verified contents … –Registered name e.g. ACE Aviation Holdings Inc –Assumed name e.g. Air Canada –Domain name e.g. –Place of business address –Jurisdiction of incorporation –Registration number Note: The CA must also retain verified name and contact details for the applicant
© Copyright Entrust, Inc Verification requirements Legal existence –Government registry Operational existence –Trade accounts –Bank letter –Legal opinion –Accountant’s letter Physical existence –Trade accounts –Site visits Domain name –WHOIS –Practical demonstration
© Copyright Entrust, Inc Other requirements Revocation –Browsers will check for revocation by default, using OCSP, once “stapling” becomes widely available Identification and authentication of requestor/approver Verification of authority of requestor/approver Warranty by CA to subscribers, users and browser suppliers Errors and omissions insurance
© Copyright Entrust, Inc It’s no good if users don’t check! EV sites place this graphic on their publicity material, including the Web site The message isn’t ‘if you see green you are safe’ It just reminds the user to check the site identity in the location bar
© Copyright Entrust, Inc It’s not foolproof – picture-in-picture
© Copyright Entrust, Inc Conclusion Browser security has significant shortcomings EV SSL represents a dramatic improvement It isn’t foolproof User awareness remains a critical issue Initial marketplace reaction appears positive For more information:-
+1 (801) Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.
SPECIAL EDUCATION MANDATED ACTIVITIES PROJECTS Presented by Judy Byrnes Office of Grants Coordination & School Support 8/30/2007.
Chapter 10 Implementing Electronic Commerce Security Gary Schneider, 2003.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.
Communication for the open minded Study on user identification methods in card payments, e-payments and mobile payments Summary of recommendations (WP5)
Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA.
PrevNext | Slide 1 WELCOME TO THE MEGS SYSTEM READING FIRST APPLICATION Created: 12/14/2004.
Digital Certificate Installation & User Guide For Class-2 Certificates.
PrevNext | Slide 1 WELCOME TO THE MEGS SYSTEM SPECIAL EDUCATION Created:
PrevNext | Slide 1 Michigan Electronic Grants System MEGS MEGS Overview and Updates for DLEG Adult Education.
Post-Expiration Domain Name Recovery PDP Presentation of Final Report.
Phishing, what you should know L kout Initiative.
PrevNext | Slide 1 Welcome to MEGS The Michigan Electronic Grants System Title II, Part A (3), Improving Teacher Quality.
INTERNET MARKETING CHAPTER 6 Electronic Payment Systems Pranjoy Arup Das
PrevNext | Slide 1 WELCOME TO THE MEGS SYSTEM HOMELESS STUDENT APPLICATION Created:
The Internet. Contents Internet vs WWW Internet vs WWW Pages vs Sites Pages vs Sites How the Internet Works How the Internet Works Getting a Web Presence.
PrevNext | Slide 1 WELCOME TO THE MEGS SYSTEM CONSOLIDATED APPLICATION Title I, Part C Migrant Education Regular School Year Presented by: Judy Byrnes.
12/01/ Protection of Information Assets (25%) 3. Protection of Information Assets 3. Protection of Information Assets (25%) Protecting Personal &
PrevNext | Slide 1 Welcome to MEGS The Michigan Electronic Grants System Educational Technology Plan Submission and Review.
Information technology security Fundamentals of Information Technology Session 8.
The NNAs Electronic Notary Seal Program Creating and managing notarial acts electronically in real-time Richard J. Hansberger, Director of eNotarization.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Card Present & Card Absent Best Practices Facilitator: Kristy A Stanley Fraud and Compliance Officer June
The Legal Framework for Creating Trust in Cyberspace: Security and Privacy Skopje March 2006 James X. Dempsey Center for Democracy & Technology Global.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
Copyright © 2003 Pearson Education, Inc. Slide 10-1.
© 2016 SlidePlayer.com Inc. All rights reserved.