Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc.

Published byRoger Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc."— Presentation transcript:

1 © 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc.

2 2 A Quotation “I have seen the future and it has angle brackets.” A Web Services Architect

3 3 More Quotations “Without Trust and Security, Web Services are dead on arrival.” Phillip Hallam-Baker “Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.” One of his customers

4 4 Internet Crime + It is real, it is organized, it is for profit + Spam was the start, phishing is the merely the current tactic + Has required a re-evaluation of legacy Internet protocol security + Email was not designed to be secure + Phishing gangs are now exploiting that lack of security + Direct losses due to fraud are hundreds of millions + The cost of lost consumer confidence is potentially much higher + SSL held the line for ten years + During which time little was done to improve the user interface + Introduction of domain authenticated certificates reduced security assurance + IPSEC, DNSSEC don’t really meet the security issues of Internet crime + Designed for very different threats + What is to be done?

5 5 Industry Solution – Retrofit Web Services Architecture + Not acknowledged as such (of course) + Not even an acknowledgement that there is a systematic architecture + But close similarities exist + Example: Web Services Discovery and Protocol Negotiation + XML defines common protocol syntax + XML-Schema defines data structures + WSDL describes message set etc. + WS-Policy allows negotiation of protocol version and features + WS-SecurityPolicy allows negotiation of security context + Fixing Email + Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail + But each adds a security policy layer to the existing SMTP protocol + “All legitimate mail from this domain comes from these IP addresses” + “All legitimate mail from this domain is signed”

6 6 Using the DNS for Protocol Policy Distribution + SPF (Sender Policy Framework) stores protocol policy in the DNS + Lightweight & ubiquitous protocol designed for name resolution protocol + Works very well for policy distribution + Has built in caching, time to live + No cryptographic security + But this is now a matter of time due to level of attack + Why not extend to general security policy distribution protocol? + Does this web site support SSL? + Negotiate transparent upgrade using HTTP SSL + Does this email server support SSL? + Always on security + Why not distribute WS-Policy statements via DNS? + We are not there - yet

7 7 Rediscovering the Edge + Traditional Internet architecture regarded firewalls as evil + End-to-end security or nothing + Usually ending up with nothing or next to nothing + Web Services & Web Services Security model embrace firewalls + “Here is the information you need to let me through” + Security architectures to address Internet Crime rediscover the edge + Authenticate email at the domain level + Apply authentication to email at the edge server + Verify authentication at the incoming edge

8 8 ‘Web Services Lite’ + Legacy Internet Protocols packaged in Web Services friendly form + SOAP is not supported + Protocol must be hand coded + Syntax and specification are idiosyncratic + But allow client to answer important questions + What version of the protocol are supported? + What security enhancements are supported? + Is there a pure Web Service connection available? + But acknowledge the fact that edge security is legitimate + Network infrastructure is not abstracted away in security model + End-to-End considered a cop-out, ignoring the real security issues

9 9 What are the Implications for Web Services? + Lessons learned #1 + Its not the technology, it’s the deployment strategy + Lessons learned #2 + Its not the standards body, it’s the constituency of stakeholders + See Lesson #1 + Lessons learned #3 + Make the barriers to entry exceptionally low + See Lesson #1 + Lessons learned #4 + The bad guys attack the system at its weakest point + That is often the consumer + See Lesson #1

10 10 What are the Implications for Web Services? + Web Services Lite is being deployed + SPF/Sender-ID Email authentication has critical mass + Considerable backing for Domain Keys/Identified Internet Mail + Internet crime provides a major forcing function + Expect businesses to sign SMTP mail by default in near future + It would be good to use as much Web Services experience as possible + If only to serve as prototype deployment/sanity check for Web Services + Legacy protocols are in flux, change is possible + Potential downside + It is concluded that the legacy internet protocols are sufficient + No need to move to new platforms such as SOAP + Potential upside + Close many of the security holes that create ‘gotchas’ for Web Services + Co-opt Web Services Lite to provide low barrier to entry for true Web Services

11 11 Beyond EDI with angle brackets + One view of Web Services is to provide ‘frictionless capitalism’ + XML is better than the ASN.1 in EDI because wind resistance of the angle brackets is lower… + Web Services will connect big company to big company + Electronic supply chain + Smaller companies will be bullied into line and forced to comply + Huge benefits for large companies + Smaller companies with no ERM systems to integrate to will get ? + Perhaps there is another approach + Support the small business doing one Web Services transaction a week + Real-Time integration will still require infrastructure

12 12 Web Services without the server + Servers represent a real cost to a small business + Software is expensive, requires specialist coding skills + Maintenance is even more expensive + Have to be on 24/7 + Reliability requires redundant configuration + Clients are cheap + Software is subject to commodity pricing, off the shelf distribution + Client connection is more forgiving, coding errors less disastrous + Email is ubiquitous and inexpensive + With new cryptographic enhancements it is becoming reliably secure

13 13 Proposal: Use Email for the low cost entry point + Example: Electronic Invoicing + Transition will mean that there are multiple speeds: + Large business supports e-Invoice Web Service + Some small businesses and consumers opt to receive invoices by email + Some still receive paper + Some businesses will interface their Web Services to paper + Order received by Web Service, is printed out and sent to Accounts + Some businesses will have tight integration with their ERM system + Some will be using Quicken, QuickBooks or Microsoft Money + Application recognizes message as an invoice + Source is identified as trustworthy + Automatically enter it into the ledger.

14 14 Conclusions + Internet Crime is affecting Web Services + A major effect on consumer and business confidence in the Internet + Requiring redesign of legacy protocols infrastructures + Many features of Web Services are being grafted onto the legacy base + Web Services can benefit from this process + Make use of the secured legacy infrastructures + Use them to lower barriers to adoption + Make Web Services into a mass market technology, not merely EDI mkII

15 © 2004 VeriSign, Inc. Thank You

Download ppt "© 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc."

Similar presentations

Copyright © 2005 EFT Network, Inc. All Rights Reserved. Automated Recurring Payments Flexible Payment Solution.

Copyright © 2005 EFT Network, Inc. All Rights Reserved. Automated Recurring Payments Flexible Payment Solution.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
A tour of new discovery introducing XpertCapture Your ultimate data capturing solution.

A tour of new discovery introducing XpertCapture Your ultimate data capturing solution.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Cyberbad Where Spam is leading to Phillip Hallam-Baker

Cyberbad Where Spam is leading to Phillip Hallam-Baker
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Shopping and ORM Solutions

Shopping and ORM Solutions
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
© 2004 VeriSign, Inc. Secure Letterhead Phillip Hallam-Baker Principal Scientist VeriSign Inc.

© 2004 VeriSign, Inc. Secure Letterhead Phillip Hallam-Baker Principal Scientist VeriSign Inc.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.

INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

Similar presentations

Ads by Google