The Dirty Little Secret of the Internet - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

The Dirty Little Secret of the Internet

Description:

No one knows about the auth part and not knowing is very dangerous ... All data transmitted in either direction will be encrypted so as to prevent any ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 18
Provided by: JothyRo4
Category:
Tags: dirty | internet | secret | shows

less

Transcript and Presenter's Notes

Title: The Dirty Little Secret of the Internet


1
The Dirty Little Secret of the Internet
  • Jothy Rosenberg
  • Chief Technology Officer Co-founder
  • November 2001

2
The Dirty Little Secret Exposed
  • People know about the lock symbol
  • It means my credit card is safebut they assume
    too much about who it is being given to!
  • SSL the technology behind the lock involves
    authentication of the business AND encryption of
    the sensitive info
  • But
  • No one knows about the auth part and not knowing
    is very dangerous
  • Auth by itself is very valuable to even more of
    the net than encryption
  • Encryption by itself is also very important and
    can be done faster if simple auth is performed

3
The Lock SymbolWhat It Meansand What It Doesnt
  • The protocol the browser and server will use to
    communicate all data is SSL Secure Socket
    Layer.
  • All data transmitted in either direction will be
    encrypted so as to prevent any nefarious
    eavesdropper.
  • Your browser recognizes the authority of and has
    the public key of the certificate authority that
    issued and signed the servers certificate.
  • The web domain of the server has been registered
    with the certificate authority and is indeed a
    legitimately registered web domain

4
https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay
  • Users browser accesses a secure site one that
    begins with https instead of http ?
  • Browser sends the server its SSL version number
    and cipher settings ?
  • Server responds with the sites SSL certificate
    along with servers SSL version number and cipher
    settings ?
  • Browser examines servers certificate and
    verifies
  • Certificate is valid and has a valid date,
  • CA that signed the certificate is a trusted CA
    built into the browser
  • Issuing CAs public key built into browser
    validates issuers digital signature
  • Domain name in certificate matches the domain
    name the browser is currently visiting

The Lock Symbol How It Works
  • Browser generates a unique session key to encrypt
    all communications
  • Browser encrypts session key with the sites
    public key and sends it to the server ?
  • Server decrypts session key using its own private
    key
  • Browser and server each generate message to the
    other informing that messages will hereon be
    encrypted ??
  • SSL session is established and all messages are
    sent using symmetric encryption (faster than PKI)

5
Example I want to book and buy a ticket on line.
Standard way to access a Web site via non-secure
connection.
If anyone ever checked, the site business
identity cannot be verified.
No lock symbol means no security and no
encryption.No one knows to click here.
6
OK, Im ready to purchase and give my credit card
to United right? It really is United right?
Click-1 shows that this certificate was issued
to www.itn.net. Who is this? And what do they
have to do with United Airlines? Click on the
Details tab to dig deeper.
Lock symbol appears because I am about to enter
credit card info but unbeknownst to most
everyone, it is clickable
7
You have to dig really deeply into
crypto-arcanery to get to the identity
information such as it is.
Click-2 gives access to the contents of the
servers digital certificate. The site business
identity is still not available. Click on the
Subject field to dig deeper.
8
We learn the hard way that this is actually not
United at all. The Web pages still say United
and yet its not United. How often is that going
on? A lot!
Finally, after 3 clicks, the authenticated
identity of the site business owner is available.
It is right after the O and in this case
it is GetThere.com, Inc. Intuitive and
accessible NOT. Really usable identity
informationNOT. AND IT IS NOT EVEN UNITED
AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD
TO.
9
So
  • SSL is not about identity. It is about
    encryption between your browser and some server
  • Yet, in any transaction, the first and most
    important question is WHO am I dealing with?
  • How do we get that done simply, securely and
    reliably on the Web?

10
Identity why its so important
  • The concept of trust is crucial because it
    affects a number of factors essential to online
    transactions, including security and privacy.
    Trust is also one of the most important factors
    associated with branding. Without trust,
    development of e-commerce cannot reach its
    potential.
  • -- Cheskin July 2000

11
Pure Identity TrustTrue Site
  • A smart icon that is placed on a Web page(s)
    that identifies the site is legitimate,
    authentic, and validated via an active call to a
    trusted 3rd party
  • True Site requires a simple integration for the
    Web site owner. An HTML ltIMGgt tag is added to the
    page to securely confirm identity and protect
    against site spoofing.
  • Copying of the seal is prevented.
  • Policing that the seal is installed on a valid
    site is performed.

12
Identity must be based on securely tying the site
to an authenticated entity. We must take into
account that people dont necessarily click. If
they do click, the info should be what they can
use.
Click-1 shows additional business credentials
that are valuable to the user and that
strengthen the legitimacy and authenticity of the
site.
Confirmed identity of the site business owner
with time stamp is presented on the TrueSite
Seal. No click required to verify identity in
either secure or unsecure mode. ---- Click to
see additional business credentials.
13
Its fundamental to the Web to be open. So
normally, if you see it, you can copy it. And
because seals are valuable to people, copy them
they do.
Any image on a Web page can usually be copied
with a simple right click. This is how seals
are stolen and put on any other site that has no
right to them. This is why most seals have
limited value and credibility.
14
Seals are abused all over the Web. Yet they
still are in favor because they offer a hint of
credibility and legitimacy through endorsement.
But the seal, to be valuable must mean something
and must protect itself from abuse.
  • The TrueSite Seal is unique
  • It is not stored on the Web site.
  • Its embedded business identity and time stamp are
    generated dynamically via real-time calls to the
    GeoTrust global credentials repository.
  • It provides robust copy protection.

15
Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
I spoofed this site to my own personal Web
server. (It took less than a minute.)
  • The TrueSite Seal is unique
  • Since the image is generated on a remote secure
    server,
  • And since the fully-qualified domain name of my
    Web server is not the correct one,
  • The image is not generated at all
  • Spoof and Poof gone!

16
Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
Its a spoofed site that is NOT 123registration
and they have no control over what I do with
these pages and yet the old style seal says
nothing wrong!
17
So
  • We can create a solid foundation of identity
    based on real world authentication
  • We can deliver this to real users in a simple,
    useful way
  • We can protect these mechanisms so that they mean
    something
  • And they can and should be used in conjunction
    with SSL to identity who the encrypted
    transactions go to

18
The Dirty Secrets are Out in the Open
  • SSL does not provide identity but is great for
    encryption
  • Identity is the most important thing for building
    trust and brand
  • Identity does require authentication and will
    continue to take days (True Site)
  • SSL can be provisioned in minutes (QuickSSL)
  • The combination takes the Internet a critical
    next step in its evolution
Write a Comment
User Comments (0)
About PowerShow.com