Title: The Dirty Little Secret of the Internet
1The Dirty Little Secret of the Internet
- Jothy Rosenberg
- Chief Technology Officer Co-founder
- November 2001
2The Dirty Little Secret Exposed
- People know about the lock symbol
- It means my credit card is safebut they assume
too much about who it is being given to!
- SSL the technology behind the lock involves
authentication of the business AND encryption of
the sensitive info
- But
- No one knows about the auth part and not knowing
is very dangerous - Auth by itself is very valuable to even more of
the net than encryption - Encryption by itself is also very important and
can be done faster if simple auth is performed
3The Lock SymbolWhat It Meansand What It Doesnt
- The protocol the browser and server will use to
communicate all data is SSL Secure Socket
Layer. - All data transmitted in either direction will be
encrypted so as to prevent any nefarious
eavesdropper. - Your browser recognizes the authority of and has
the public key of the certificate authority that
issued and signed the servers certificate. - The web domain of the server has been registered
with the certificate authority and is indeed a
legitimately registered web domain
4https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay
- Users browser accesses a secure site one that
begins with https instead of http ?
- Browser sends the server its SSL version number
and cipher settings ?
- Server responds with the sites SSL certificate
along with servers SSL version number and cipher
settings ?
- Browser examines servers certificate and
verifies - Certificate is valid and has a valid date,
- CA that signed the certificate is a trusted CA
built into the browser - Issuing CAs public key built into browser
validates issuers digital signature - Domain name in certificate matches the domain
name the browser is currently visiting
The Lock Symbol How It Works
- Browser generates a unique session key to encrypt
all communications
- Browser encrypts session key with the sites
public key and sends it to the server ?
- Server decrypts session key using its own private
key
- Browser and server each generate message to the
other informing that messages will hereon be
encrypted ??
- SSL session is established and all messages are
sent using symmetric encryption (faster than PKI)
5Example I want to book and buy a ticket on line.
Standard way to access a Web site via non-secure
connection.
If anyone ever checked, the site business
identity cannot be verified.
No lock symbol means no security and no
encryption.No one knows to click here.
6OK, Im ready to purchase and give my credit card
to United right? It really is United right?
Click-1 shows that this certificate was issued
to www.itn.net. Who is this? And what do they
have to do with United Airlines? Click on the
Details tab to dig deeper.
Lock symbol appears because I am about to enter
credit card info but unbeknownst to most
everyone, it is clickable
7You have to dig really deeply into
crypto-arcanery to get to the identity
information such as it is.
Click-2 gives access to the contents of the
servers digital certificate. The site business
identity is still not available. Click on the
Subject field to dig deeper.
8We learn the hard way that this is actually not
United at all. The Web pages still say United
and yet its not United. How often is that going
on? A lot!
Finally, after 3 clicks, the authenticated
identity of the site business owner is available.
It is right after the O and in this case
it is GetThere.com, Inc. Intuitive and
accessible NOT. Really usable identity
informationNOT. AND IT IS NOT EVEN UNITED
AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD
TO.
9So
- SSL is not about identity. It is about
encryption between your browser and some server - Yet, in any transaction, the first and most
important question is WHO am I dealing with? - How do we get that done simply, securely and
reliably on the Web?
10Identity why its so important
- The concept of trust is crucial because it
affects a number of factors essential to online
transactions, including security and privacy.
Trust is also one of the most important factors
associated with branding. Without trust,
development of e-commerce cannot reach its
potential. - -- Cheskin July 2000
11Pure Identity TrustTrue Site
- A smart icon that is placed on a Web page(s)
that identifies the site is legitimate,
authentic, and validated via an active call to a
trusted 3rd party - True Site requires a simple integration for the
Web site owner. An HTML ltIMGgt tag is added to the
page to securely confirm identity and protect
against site spoofing. - Copying of the seal is prevented.
- Policing that the seal is installed on a valid
site is performed.
12Identity must be based on securely tying the site
to an authenticated entity. We must take into
account that people dont necessarily click. If
they do click, the info should be what they can
use.
Click-1 shows additional business credentials
that are valuable to the user and that
strengthen the legitimacy and authenticity of the
site.
Confirmed identity of the site business owner
with time stamp is presented on the TrueSite
Seal. No click required to verify identity in
either secure or unsecure mode. ---- Click to
see additional business credentials.
13Its fundamental to the Web to be open. So
normally, if you see it, you can copy it. And
because seals are valuable to people, copy them
they do.
Any image on a Web page can usually be copied
with a simple right click. This is how seals
are stolen and put on any other site that has no
right to them. This is why most seals have
limited value and credibility.
14Seals are abused all over the Web. Yet they
still are in favor because they offer a hint of
credibility and legitimacy through endorsement.
But the seal, to be valuable must mean something
and must protect itself from abuse.
- The TrueSite Seal is unique
- It is not stored on the Web site.
- Its embedded business identity and time stamp are
generated dynamically via real-time calls to the
GeoTrust global credentials repository. - It provides robust copy protection.
15Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
I spoofed this site to my own personal Web
server. (It took less than a minute.)
- The TrueSite Seal is unique
- Since the image is generated on a remote secure
server, - And since the fully-qualified domain name of my
Web server is not the correct one, - The image is not generated at all
- Spoof and Poof gone!
16Site spoofing the whole sale copying of an
entire site to a new location usually with
changes consistent with the perpetrators goals
is prevalent. Identity trust will be lost if the
mechanism does not protect against such fraud.
Its a spoofed site that is NOT 123registration
and they have no control over what I do with
these pages and yet the old style seal says
nothing wrong!
17So
- We can create a solid foundation of identity
based on real world authentication - We can deliver this to real users in a simple,
useful way - We can protect these mechanisms so that they mean
something - And they can and should be used in conjunction
with SSL to identity who the encrypted
transactions go to
18The Dirty Secrets are Out in the Open
- SSL does not provide identity but is great for
encryption - Identity is the most important thing for building
trust and brand - Identity does require authentication and will
continue to take days (True Site) - SSL can be provisioned in minutes (QuickSSL)
- The combination takes the Internet a critical
next step in its evolution