The Dirty Little Secret of the Internet

abdomendebonairSecurity

Nov 2, 2013 (3 years and 7 months ago)

178 views

The Dirty Little Secret of the Internet

Jothy Rosenberg


Chief Technology Officer & Co
-
founder


November 2001

2

The Dirty Little Secret Exposed


People know about the lock symbol


It means my credit card is safe…but they
assume too much about who it is

being given to!


SSL


the technology behind the lock



involves authentication of the business
AND encryption of the sensitive info


But

1.
No one knows about the auth part and not
knowing is very dangerous

2.
Auth by itself is very valuable to even more of
the net than encryption

3.
Encryption by itself is also very important and
can be done faster if simple auth is performed

3

The Lock Symbol

What It Means…and What It Doesn’t


The protocol the browser and server will use
to communicate all data is SSL


Secure
Socket Layer.


All data transmitted in either direction will be
encrypted so as to prevent any nefarious
eavesdropper.


Your browser recognizes the authority of and
has the public key of the certificate authority
that issued and signed the server’s certificate.


The web domain of the server has been
registered with the certificate authority and is
indeed a legitimately registered web domain

No lock symbol means no
security and no encryption.

No one knows to click here.

If

anyone ever checked,
the site business identity
cannot be verified.

Standard way to access a Web
site via non
-
secure connection.

Example:

I want to
book and
buy a
ticket on
line.

OK, I’m ready
to purchase
and give my
credit card


to
United right?


It really is
United right?

Lock symbol appears because I
am about to enter credit card info
but unbeknownst to most
everyone, it is clickable

Click
-
1 shows that this certificate
was issued to www.itn.net. Who is
this? And what do they have to do
with United Airlines?


Click on the “Details” tab to dig
deeper.

You have to dig
really deeply
into crypto
-
arcanery to get
to the identity
information
such as it is.

Click
-
2 gives access to the
contents of the server’s
digital certificate.

The site business identity
is still not available.


Click on the “Subject” field
to dig deeper.

We learn the
hard way that
this is actually
not United at
all. The Web
pages still say
United and yet
its not United.
How often is
that going on?
A lot!

Finally, after 3 clicks, the
authenticated identity of the site
business owner is available.

It is right after the ‘O = ‘ and in this
case it is GetThere.com, Inc.

Intuitive and accessible… NOT.
Really usable identity
information…NOT.


AND IT IS NOT EVEN UNITED
AIRLINES THAT I AM ABOUT TO
GIVE MY CREDIT CARD TO.

9

So…


SSL is not about identity. It is about
encryption between your browser and
some server


Yet, in any transaction, the first and
most important question is WHO am I
dealing with?


How do we get that done simply,
securely and reliably on the Web?

10

Identity


why its so important

“The concept of trust is crucial because it
affects a number of factors essential to
online transactions, including security
and privacy. Trust is also one of the
most important factors associated with
branding. Without trust, development of
e
-
commerce cannot reach its potential.”





--

Cheskin July 2000

11

Pure Identity Trust:

True Site™

A

smart icon


that is placed on a Web page(s)
that identifies the site is legitimate, authentic,
and validated via an active call to a trusted
3
rd

party




True Site requires a simple integration for the Web site
owner.
An HTML <IMG> tag is added to the page to
securely confirm identity and protect against site
spoofing.


Copying of the seal is prevented.


Policing that the seal is installed on a valid site is
performed.

Confirmed identity of the site business
owner with time stamp is presented on the
TrueSite Seal.


No click required to verify identity in either

secure or unsecure mode.

----

Click to see additional business credentials.

Click
-
1 shows additional business credentials
that are valuable to the user and

that strengthen the legitimacy and authenticity
of the site.

Identity must be based
on securely tying the
site to an authenticated
entity. We must take
into account that
people don’t
necessarily click. If they
do click, the info should
be what they can use.

Any image on a Web page can usually
be copied with a simple right click.

This is how seals are stolen and put on
any other site that has no right to them.
This is why most seals have limited
value and credibility.

Its fundamental to the
Web to be open. So
normally, if you see it,
you can copy it. And
because seals are
valuable to people,
copy them they do.

The TrueSite Seal is unique:


It is not stored on the Web site.


Its embedded business identity and time
stamp are generated dynamically via real
-
time calls to the GeoTrust global
credentials repository.


It provides robust copy protection.

Seals are abused all
over the Web. Yet they
still are in favor
because they offer a
hint of credibility and
legitimacy through
endorsement. But the
seal, to be valuable
must mean something
and must protect itself
from abuse.

The TrueSite Seal is unique:


Since the image is generated on a remote
secure server,


And since the fully
-
qualified domain name
of my Web server is not the correct one,


The image is not generated at all…


Spoof and Poof gone!

Site spoofing


the
whole sale copying of
an entire site to a new
location usually with
changes consistent
with the perpetrators
goals


is prevalent.
Identity trust will be lost
if the mechanism does
not protect against
such fraud.

I spoofed this site to my own
personal Web server. (It took
less than a minute.)

Site spoofing


the
whole sale copying of
an entire site to a new
location usually with
changes consistent
with the perpetrators
goals


is prevalent.
Identity trust will be lost
if the mechanism does
not protect against
such fraud.

It’s a spoofed site that is NOT
123registration and they have
no control over what I do with
these pages and yet the old
style seal says …

…nothing wrong!

17

So…


We can create a solid foundation of
identity based on real world
authentication


We can deliver this to real users in a
simple, useful way


We can protect these mechanisms so
that they mean something


And they can and should be used in
conjunction with SSL to identity who
the encrypted transactions go to

18

The Dirty Secrets are Out in the Open


SSL does not provide identity but is great for
encryption


Identity is the most important thing for
building trust and brand


Identity does require authentication and will
continue to take days

(True Site™)


SSL can be provisioned in minutes
(QuickSSL™)


The combination takes the Internet a critical
next step in its evolution