The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Secure Sockets Layer. SSL SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Electronic Transaction Security (E-Commerce)
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Chapter 8 Web Security.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Electronic Transaction (SET)
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 DCS 835 – Computer Networking and the Internet Digital Certificate and SSL (rev ) Team 1 Rasal Mowla (project leader) Alvaro Restrepo, Carlos.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Electronic Banking & Security Electronic Banking & Security.
Copyright © Terry Felke-Morris Web Development & Design Foundations with HTML5 8 th Edition CHAPTER 12 KEY CONCEPTS 1 Copyright.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
SSL Certificates for Secure Websites
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
How to Check if a site's connection is secure ?
Using SSL – Secure Socket Layer
The Secure Sockets Layer (SSL) Protocol
Electronic Payment Security Technologies
Presentation transcript:

The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001

2 The Dirty Little Secret Exposed People know about the lock symbol It means my credit card is safe…but they assume too much about who it is being given to! SSL – the technology behind the lock – involves authentication of the business AND encryption of the sensitive info But 1.No one knows about the auth part and not knowing is very dangerous 2.Auth by itself is very valuable to even more of the net than encryption 3.Encryption by itself is also very important and can be done faster if simple auth is performed

3 The Lock Symbol What It Means…and What It Doesnt The protocol the browser and server will use to communicate all data is SSL – Secure Socket Layer. All data transmitted in either direction will be encrypted so as to prevent any nefarious eavesdropper. Your browser recognizes the authority of and has the public key of the certificate authority that issued and signed the servers certificate. The web domain of the server has been registered with the certificate authority and is indeed a legitimately registered web domain

Users browser accesses a secure site – one that begins with https: instead of http: Browser sends the server its SSL version number and cipher settings Server responds with the sites SSL certificate along with servers SSL version number and cipher settings Browser examines servers certificate and verifies: –Certificate is valid and has a valid date, –CA that signed the certificate is a trusted CA built into the browser –Issuing CAs public key built into browser validates issuers digital signature –Domain name in certificate matches the domain name the browser is currently visiting Browser generates a unique session key to encrypt all communications Browser encrypts session key with the sites public key and sends it to the server Server decrypts session key using its own private key Browser and server each generate message to the other informing that messages will hereon be encrypted SSL session is established and all messages are sent using symmetric encryption (faster than PKI) The Lock Symbol – How It Works

No lock symbol means no security and no encryption. No one knows to click here. If anyone ever checked, the site business identity cannot be verified. Standard way to access a Web site via non-secure connection. Example: I want to book and buy a ticket on line.

OK, Im ready to purchase and give my credit card – to United right? It really is United right? Lock symbol appears because I am about to enter credit card info but unbeknownst to most everyone, it is clickable Click-1 shows that this certificate was issued to Who is this? And what do they have to do with United Airlines? Click on the Details tab to dig deeper.

You have to dig really deeply into crypto- arcanery to get to the identity information such as it is. Click-2 gives access to the contents of the servers digital certificate. The site business identity is still not available. Click on the Subject field to dig deeper.

We learn the hard way that this is actually not United at all. The Web pages still say United and yet its not United. How often is that going on? A lot! Finally, after 3 clicks, the authenticated identity of the site business owner is available. It is right after the O = and in this case it is GetThere.com, Inc. Intuitive and accessible… NOT. Really usable identity information…NOT. AND IT IS NOT EVEN UNITED AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD TO.

9 So… SSL is not about identity. It is about encryption between your browser and some server Yet, in any transaction, the first and most important question is WHO am I dealing with? How do we get that done simply, securely and reliably on the Web?

10 Identity – why its so important The concept of trust is crucial because it affects a number of factors essential to online transactions, including security and privacy. Trust is also one of the most important factors associated with branding. Without trust, development of e-commerce cannot reach its potential. -- Cheskin July 2000

11 Pure Identity Trust: True Site A smart icon that is placed on a Web page(s) that identifies the site is legitimate, authentic, and validated via an active call to a trusted 3 rd party True Site requires a simple integration for the Web site owner. An HTML tag is added to the page to securely confirm identity and protect against site spoofing. Copying of the seal is prevented. Policing that the seal is installed on a valid site is performed.

Confirmed identity of the site business owner with time stamp is presented on the TrueSite Seal. No click required to verify identity in either secure or unsecure mode Click to see additional business credentials. Click-1 shows additional business credentials that are valuable to the user and that strengthen the legitimacy and authenticity of the site. Identity must be based on securely tying the site to an authenticated entity. We must take into account that people dont necessarily click. If they do click, the info should be what they can use.

Any image on a Web page can usually be copied with a simple right click. This is how seals are stolen and put on any other site that has no right to them. This is why most seals have limited value and credibility. Its fundamental to the Web to be open. So normally, if you see it, you can copy it. And because seals are valuable to people, copy them they do.

The TrueSite Seal is unique: It is not stored on the Web site. Its embedded business identity and time stamp are generated dynamically via real- time calls to the GeoTrust global credentials repository. It provides robust copy protection. Seals are abused all over the Web. Yet they still are in favor because they offer a hint of credibility and legitimacy through endorsement. But the seal, to be valuable must mean something and must protect itself from abuse.

The TrueSite Seal is unique: Since the image is generated on a remote secure server, And since the fully-qualified domain name of my Web server is not the correct one, The image is not generated at all… Spoof and Poof gone! Site spoofing – the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals – is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud. I spoofed this site to my own personal Web server. (It took less than a minute.)

Site spoofing – the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals – is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud. Its a spoofed site that is NOT 123registration and they have no control over what I do with these pages and yet the old style seal says … …nothing wrong!

17 So… We can create a solid foundation of identity based on real world authentication We can deliver this to real users in a simple, useful way We can protect these mechanisms so that they mean something And they can and should be used in conjunction with SSL to identity who the encrypted transactions go to

18 The Dirty Secrets are Out in the Open SSL does not provide identity but is great for encryption Identity is the most important thing for building trust and brand Identity does require authentication and will continue to take days (True Site) SSL can be provisioned in minutes (QuickSSL) The combination takes the Internet a critical next step in its evolution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.