The Dirty Little Secret of the Internet

1
The Dirty Little Secret of the Internet

• Jothy Rosenberg
• Chief Technology Officer Co-founder
• November 2001

2
The Dirty Little Secret Exposed

• People know about the lock symbol

• It means my credit card is safebut they assume
  too much about who it is being given to!

• SSL the technology behind the lock involves
  authentication of the business AND encryption of
  the sensitive info

• But
• No one knows about the auth part and not knowing
  is very dangerous
• Auth by itself is very valuable to even more of
  the net than encryption
• Encryption by itself is also very important and
  can be done faster if simple auth is performed

3
The Lock SymbolWhat It Meansand What It Doesnt

• The protocol the browser and server will use to
  communicate all data is SSL Secure Socket
  Layer.
• All data transmitted in either direction will be
  encrypted so as to prevent any nefarious
  eavesdropper.
• Your browser recognizes the authority of and has
  the public key of the certificate authority that
  issued and signed the servers certificate.
• The web domain of the server has been registered
  with the certificate authority and is indeed a
  legitimately registered web domain

4
https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay

• Users browser accesses a secure site one that
  begins with https instead of http ?

• Browser sends the server its SSL version number
  and cipher settings ?

• Server responds with the sites SSL certificate
  along with servers SSL version number and cipher
  settings ?

• Browser examines servers certificate and
  verifies
• Certificate is valid and has a valid date,
• CA that signed the certificate is a trusted CA
  built into the browser
• Issuing CAs public key built into browser
  validates issuers digital signature
• Domain name in certificate matches the domain
  name the browser is currently visiting

The Lock Symbol How It Works

• Browser generates a unique session key to encrypt
  all communications

• Browser encrypts session key with the sites
  public key and sends it to the server ?

• Server decrypts session key using its own private
  key

• Browser and server each generate message to the
  other informing that messages will hereon be
  encrypted ??

• SSL session is established and all messages are
  sent using symmetric encryption (faster than PKI)

5
Example I want to book and buy a ticket on line.
Standard way to access a Web site via non-secure
connection.
If anyone ever checked, the site business
identity cannot be verified.
No lock symbol means no security and no
encryption.No one knows to click here.
6
OK, Im ready to purchase and give my credit card
to United right? It really is United right?
Click-1 shows that this certificate was issued
to www.itn.net. Who is this? And what do they
have to do with United Airlines? Click on the
Details tab to dig deeper.
Lock symbol appears because I am about to enter
credit card info but unbeknownst to most
everyone, it is clickable
7
You have to dig really deeply into
crypto-arcanery to get to the identity
information such as it is.
Click-2 gives access to the contents of the
servers digital certificate. The site business
identity is still not available. Click on the
Subject field to dig deeper.
8
We learn the hard way that this is actually not
United at all. The Web pages still say United
and yet its not United. How often is that going
on? A lot!
Finally, after 3 clicks, the authenticated
identity of the site business owner is available.
It is right after the O and in this case
it is GetThere.com, Inc. Intuitive and
accessible NOT. Really usable identity
informationNOT. AND IT IS NOT EVEN UNITED
AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD
TO.
9
So

• SSL is not about identity. It is about
  encryption between your browser and some server
• Yet, in any transaction, the first and most
  important question is WHO am I dealing with?
• How do we get that done simply, securely and
  reliably on the Web?

10
Identity why its so important

• The concept of trust is crucial because it
  affects a number of factors essential to online
  transactions, including security and privacy.
  Trust is also one of the most important factors
  associated with branding. Without trust,
  development of e-commerce cannot reach its
  potential.
• -- Cheskin July 2000

11
Pure Identity TrustTrue Site

• A smart icon that is placed on a Web page(s)
  that identifies the site is legitimate,
  authentic, and validated via an active call to a
  trusted 3rd party
• True Site requires a simple integration for the
  Web site owner. An HTML ltIMGgt tag is added to the
  page to securely confirm identity and protect
  against site spoofing.
• Copying of the seal is prevented.
• Policing that the seal is installed on a valid
  site is performed.

12
Identity must be based on securely tying the site
to an authenticated entity. We must take into
account that people dont necessarily click. If
they do click, the info should be what they can
use.
Click-1 shows additional business credentials
that are valuable to the user and that
strengthen the legitimacy and authenticity of the
site.
Confirmed identity of the site business owner
with time stamp is presented on the TrueSite
Seal. No click required to verify identity in
either secure or unsecure mode. ---- Click to
see additional business credentials.
13
Its fundamental to the Web to be open. So
normally, if you see it, you can copy it. And
because seals are valuable to people, copy them
they do.
Any image on a Web page can usually be copied
with a simple right click. This is how seals
are stolen and put on any other site that has no
right to them. This is why most seals have
limited value and credibility.
14
Seals are abused all over the Web. Yet they
still are in favor because they offer a hint of
credibility and legitimacy through endorsement.
But the seal, to be valuable must mean something
and must protect itself from abuse.

• The TrueSite Seal is unique
• It is not stored on the Web site.
• Its embedded business identity and time stamp are
  generated dynamically via real-time calls to the
  GeoTrust global credentials repository.
• It provides robust copy protection.

15
Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
I spoofed this site to my own personal Web
server. (It took less than a minute.)

• The TrueSite Seal is unique
• Since the image is generated on a remote secure
  server,
• And since the fully-qualified domain name of my
  Web server is not the correct one,
• The image is not generated at all
• Spoof and Poof gone!

16
Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
Its a spoofed site that is NOT 123registration
and they have no control over what I do with
these pages and yet the old style seal says
nothing wrong!
17
So

• We can create a solid foundation of identity
  based on real world authentication
• We can deliver this to real users in a simple,
  useful way
• We can protect these mechanisms so that they mean
  something
• And they can and should be used in conjunction
  with SSL to identity who the encrypted
  transactions go to

18
The Dirty Secrets are Out in the Open

• SSL does not provide identity but is great for
  encryption
• Identity is the most important thing for building
  trust and brand
• Identity does require authentication and will
  continue to take days (True Site)
• SSL can be provisioned in minutes (QuickSSL)
• The combination takes the Internet a critical
  next step in its evolution