The Dirty Little Secret of the Internet
Jothy Rosenberg
Chief Technology Officer & Co-founder
November 2001
2
The Dirty Little Secret Exposed
People know about the lock symbol It means my credit card is safe00ut they assume too much about who it is being given to! SSL 00the technology behind the lock 00 involves authentication of the business AND encryption of the sensitive info But No one knows about the auth part and not knowing is very dangerous Auth by itself is very valuable to even more of the net than encryption Encryption by itself is also very important and can be done faster if simple auth is performed3
The Lock Symbol What It Means00nd What It Doesn00
The protocol the browser and server will use to communicate all data is SSL 00Secure Socket Layer. All data transmitted in either direction will be encrypted so as to prevent any nefarious eavesdropper. Your browser recognizes the authority of and has the public key of the certificate authority that issued and signed the server00 certificate. The web domain of the server has been registered with the certificate authority and is indeed a legitimately registered web domain User00 browser accesses a secure site 00one that begins with https: instead of http: 00/b>https://www.llbean.com/cgi-bin/ncommerce3/OrderItemDisplay
Browser sends the server its SSL version number and cipher settings 00/b> Server responds with the site00 SSL certificate along with server00 SSL version number and cipher settings 00/b> Browser examines server00 certificate and verifies: Certificate is valid and has a valid date, CA that signed the certificate is a trusted CA built into the browser Issuing CA00 public key built into browser validates issuer00 digital signature Domain name in certificate matches the domain name the browser is currently visiting Browser generates a unique session key to encrypt all communications Browser encrypts session key with the site00 public key and sends it to the server 00/b> Server decrypts session key using its own private key Browser and server each generate message to the other informing that messages will hereon be encrypted 000 SSL session is established and all messages are sent using symmetric encryption (faster than PKI)The Lock Symbol 00How It Works
No lock symbol means no security and no encryption. No one knows to click here.
If anyone ever checked, the site business identity cannot be verified.
Standard way to access a Web site via non-secure connection.
Example: I want to book and buy a ticket on line.
OK, I00 ready to purchase and give my credit card 00to United right?
It really is United right?
Lock symbol appears because I am about to enter credit card info but unbeknownst to most everyone, it is clickable
Click-1 shows that this certificate was issued to www.itn.net. Who is this? And what do they have to do with United Airlines?
Click on the 00etails00tab to dig deeper.
You have to dig really deeply into crypto-arcanery to get to the identity information such as it is.
Click-2 gives access to the contents of the server00 digital certificate. The site business identity is still not available.
Click on the 00ubject00field to dig deeper.
We learn the hard way that this is actually not United at all. The Web pages still say United and yet its not United. How often is that going on? A lot!
Finally, after 3 clicks, the authenticated identity of the site business owner is available. It is right after the 00 = 00and in this case it is GetThere.com, Inc. Intuitive and accessible00NOT. Really usable identity information00OT.
AND IT IS NOT EVEN UNITED AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD TO.
9
So00/b>
SSL is not about identity. It is about encryption between your browser and some server Yet, in any transaction, the first and most important question is WHO am I dealing with? How do we get that done simply, securely and reliably on the Web?10
Identity 00why its so important
00he concept of trust is crucial because it affects a number of factors essential to online transactions, including security and privacy. Trust is also one of the most important factors associated with branding. Without trust, development of e-commerce cannot reach its potential.00/font>
-- Cheskin July 2000
11
Pure Identity Trust: True Site00/b>
A 00mart icon00that is placed on a Web page(s) that identifies the site is legitimate, authentic, and validated via an active call to a trusted 3rd party
True Site requires a simple integration for the Web site owner. An HTML <IMG> tag is added to the page to securely confirm identity and protect against site spoofing.
Copying of the seal is prevented.
Policing that the seal is installed on a valid site is performed.
Confirmed identity of the site business owner with time stamp is presented on the TrueSite Seal.
No click required to verify identity in either secure or unsecure mode.
----
Click to see additional business credentials.
Click-1 shows additional business credentials that are valuable to the user and that strengthen the legitimacy and authenticity of the site.
Identity must be based on securely tying the site to an authenticated entity. We must take into account that people don00 necessarily click. If they do click, the info should be what they can use.
Any image on a Web page can usually be copied with a simple right click. This is how seals are stolen and put on any other site that has no right to them. This is why most seals have limited value and credibility.
Its fundamental to the Web to be open. So normally, if you see it, you can copy it. And because seals are valuable to people, copy them they do.
The TrueSite Seal is unique:
It is not stored on the Web site. Its embedded business identity and time stamp are generated dynamically via real-time calls to the GeoTrust global credentials repository. It provides robust copy protection.Seals are abused all over the Web. Yet they still are in favor because they offer a hint of credibility and legitimacy through endorsement. But the seal, to be valuable must mean something and must protect itself from abuse.
The TrueSite Seal is unique:
Since the image is generated on a remote secure server, And since the fully-qualified domain name of my Web server is not the correct one, The image is not generated at all00/font> Spoof and Poof gone!Site spoofing 00the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals 00is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud.
I spoofed this site to my own personal Web server. (It took less than a minute.)
Site spoofing 00the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals 00is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud.
It00 a spoofed site that is NOT 123registration and they have no control over what I do with these pages and yet the old style seal says 00/font>
00othing wrong!
17
So00/b>
We can create a solid foundation of identity based on real world authentication We can deliver this to real users in a simple, useful way We can protect these mechanisms so that they mean something And they can and should be used in conjunction with SSL to identity who the encrypted transactions go to18
The Dirty Secrets are Out in the Open
SSL does not provide identity but is great for encryption Identity is the most important thing for building trust and brand Identity does require authentication and will continue to take days (True Site00 SSL can be provisioned in minutes (QuickSSL00 The combination takes the Internet a critical next step in its evolution
