2.26k likes | 3.12k Views
Web Trends and Technologies. David Strom david@strom.com (516) 944-3407 T6 11/1/99. Outline. Web basics and protocols New web technologies and trends New eCommerce technologies eCommerce Service Options Storefront design basics. Goals.
 
                
                E N D
Web Trends and Technologies David Strom david@strom.com (516) 944-3407 T6 11/1/99 NGN99 T6 (c) 1999 David Strom Inc.
Outline • Web basics and protocols • New web technologies and trends • New eCommerce technologies • eCommerce Service Options • Storefront design basics NGN99 T6 (c) 1999 David Strom Inc.
Goals • Describe and demonstrate new web products and services • Articulate some web futures • Debunk some myths • Provide the foundation for making your own technology choices NGN99 T6 (c) 1999 David Strom Inc.
Topic 1: Web Basics and Protocols • HTML vs. HTTP • SET vs. SSL • XML vs. OBI NGN99 T6 (c) 1999 David Strom Inc.
HTML vs. HTTP • History lessons • Similarities and differences NGN99 T6 (c) 1999 David Strom Inc.
HTML • Markup language of the web • Describes the structure and content of a page • Contains both display control and the actual content itself • Developed first for document distribution, later used for publishing NGN99 T6 (c) 1999 David Strom Inc.
Word Processing History • Wylbur (1974-80) • TeX and other VT page editors (1976-85) • NBI, Xerox, Vydec word processors (1977-83) • Multimate/Wang (1982-5) • Word Perfect (1984-96) • MS Word (1992-) • HTML (1993-) NGN99 T6 (c) 1999 David Strom Inc.
HTML History • v 1.0: early 90s • HTML+: 1993 • v 2.0 (RFC 1866, forms): 1995 • v 3.0 (tables, frames): 1995, schism between Netscape and Microsoft • v 3.2 (style sheets): adopted 1996 • v 4: 1998, three versions proposed by W3C, but nothing really adopted yet • XHTML: 1999, a marriage of XML and HTML (see www.w3c.org) NGN99 T6 (c) 1999 David Strom Inc.
Lessons Learned • Dedicated machines with incompatible formats • New hardware platforms every 3-4 years • Alternating between WYSIWIG and tagged text NGN99 T6 (c) 1999 David Strom Inc.
HTML Features • Operating system independent • Browser independent • The user controls the browser • The author controls organization • The server controls -- well, not much! NGN99 T6 (c) 1999 David Strom Inc.
HTML Goals • Interoperability (I can read your docs) • Cross-platform compatibility (Macs can read PC docs) • Collaborate with my colleagues (We can jointly author docs) NGN99 T6 (c) 1999 David Strom Inc.
HTML Realities • New tags don’t have the same impact of yore • Netscape/Microsoft battle is still relevant but not significant (remember D-HTML?) • Look to XML for most interesting innovations in the near future NGN99 T6 (c) 1999 David Strom Inc.
HTTP: A Brief History • Developed by CERN in 1990/1 • Became open source in 1992/3 • The server side of things NGN99 T6 (c) 1999 David Strom Inc.
Typical HTTP Conversation • Open connection from browser to server • Request a particular page and other objects • Server responds, delivers data if possible • Close the request NGN99 T6 (c) 1999 David Strom Inc.
HTTP is Stateless • Each page request is independent • Servers have short memories • One-at-a-time processing • This has all sorts of problems for web shopping or tracking browsers over extended time periods NGN99 T6 (c) 1999 David Strom Inc.
So How to Fix This? • Use cookies or crypto certificates to keep track of users • Run scripts or programs on your web server • Use a database server and logins to keep track NGN99 T6 (c) 1999 David Strom Inc.
SET vs. SSL • Similarities and differences • Protocol descriptions • Practical applications NGN99 T6 (c) 1999 David Strom Inc.
SSL: Encrypt Transactions • Why encrypt? • Principles of cryptosystems • Understand certificate management NGN99 T6 (c) 1999 David Strom Inc.
Why Encrypt? TRUST! • Ensure your customer is authorized to use his account • Customer wants to make sure you are the legit seller • Ensure payment is received • Ensure goods are received NGN99 T6 (c) 1999 David Strom Inc.
Steps in SSL Certificate Creation • Select a CA to use and fill out their forms and pay them • CA verifies information provided • CA creates a certificate containing public key and expiration date • The certificate is stored on your web server NGN99 T6 (c) 1999 David Strom Inc.
Hierarchy of Trust for Certificate Issuance • Visa and MasterCard will designate or become CAs • Merchants trust these issuers or their banks • Cardholders will obtain certificates from their banks’ CA and store in electronic wallet NGN99 T6 (c) 1999 David Strom Inc.
Examples of Certificate Authorities • VeriSign • www.Verisign.com • GTE CyberTrust Solutions, Inc. • www.cybertrust.gte.com • Thawte Consulting • www.thawte.com NGN99 T6 (c) 1999 David Strom Inc.
Certificate Creation • Demo of key generation and certificate request NGN99 T6 (c) 1999 David Strom Inc.
Verisign Server Certs • www.verisign.com/server/prod • Different features, ranging in price from $349 to $1295/year • Offer different warranties, encyrption levels NGN99 T6 (c) 1999 David Strom Inc.
Certificate Management • Once public key certificates are issued, they must be managed to maintain integrity • They contain expiration dates • They may be revoked for various reasons • Upon expiration, certificates must be renewed or reissued • This is a consideration for using an external CA, as opposed to managing an internal CA NGN99 T6 (c) 1999 David Strom Inc.
How is this accomplished? • Secure servers and browsers • Capable of strong encryption (up to 128 bit) • 40 bit encryption is no longer considered adequate for financial transactions • Digital certificates • Ensure the identity of the certificate holder • Also called digital IDs • The common protocol in use today is Secure Sockets Layer (SSL) NGN99 T6 (c) 1999 David Strom Inc.
Secure Sockets Layer (SSL) • Authenticates the merchant server • Merchant Certificate obtained from trusted Certificate Authority • Provides privacy through encryption of the message for both the sender and receiver • Secure “pipe” negotiates maximum encryption compatible at browser and server for each message transmitted • Ensures integrity of data transmitted • Message authenticity check (algorithm) NGN99 T6 (c) 1999 David Strom Inc.
Secure Sockets Layer Protocol (SSL) • https:// in the URL = a secure connection • SSL allows customers to verify who the merchant is • The merchant’s digital ID does not certify the integrity of the merchant Merchant’s Certificate (Digital ID) can be viewed by any secure browser NGN99 T6 (c) 1999 David Strom Inc.
Secure Sockets Layer Protocol (SSL) • SSL encrypts the customer order, which includes the payment information • This data is sent from the customer to the merchant via a secure “pipe” Customer Order with Payment Information Encrypted order sent Customer order decrypted at merchant server NGN99 T6 (c) 1999 David Strom Inc.
What SSL Doesn’t Encrypt • Once the data arrives on the secure server, it could be stored in an insecure location! • Or if someone has physical access to your desktop or server NGN99 T6 (c) 1999 David Strom Inc.
Encryption Strength • It is illegal to export outside the US products containing encryption that is stronger than 40 bits • It is not illegal to use encryption stronger than 40 bits internationally • Financial institutions do not consider 40-bit encryption adequate for Internet transactions NGN99 T6 (c) 1999 David Strom Inc.
Encryption Strength • Newer browser and server software are capable of 128-bit encryption • 128-bit encryption is exponentially stronger than 40-bit encryption NGN99 T6 (c) 1999 David Strom Inc.
SET: Authenticate Buyers • What is the protocol • How it works • Advantages and disadvantages NGN99 T6 (c) 1999 David Strom Inc.
What is SET protocol? • Secure Electronic Transaction protocol is a common standard that was developed jointly by Visa, MasterCard and other partners to ensure the processing of secure transactions. • Based on RSA encryption • Uses public and private key pairs that have a mathematical relationship NGN99 T6 (c) 1999 David Strom Inc.
How is SET Different from SSL? • Digital certificates for SET will be payment-specific • Merchants will be certified as legitimate to accept branded payment card transactions • Cardholders will be certified as valid account holders • Merchants will not see customer’s account number (it will only be passed to the acquirer) NGN99 T6 (c) 1999 David Strom Inc.
How is SET Different from SSL? With SET: Merchant Server gets Customer’s Digital ID minus the account number + Customer Order Customer’s Digital ID related to a specific account + Customer Order info Acquirer gets order receipt + Customer’s Digital ID with account number NGN99 T6 (c) 1999 David Strom Inc.
The Mechanics of SET • (1) Payment info sent from user to merchant • (2) Merchant confirms, fees charged • (3) Transaction to bank, funds debited/credited • (4) Merchant sends item to user NGN99 T6 (c) 1999 David Strom Inc.
MasterCard® Example of a SET Transaction http://www.mastercard.com/set/screen1.html NGN99 T6 (c) 1999 David Strom Inc.
SSL Server authentication Merchant certificate as legitimate business Possible for client authentication Not tied to payment method Privacy Encrypted message to merchant includes account number Integrity Message authenticity check SET Server authentication Merchant certificate tied to accept payment brands Customer authentication Digital certificate tied to certain payment method Privacy Encrypted message does not pass account number to merchant Integrity Hash/message envelope SSL vs. SET NGN99 T6 (c) 1999 David Strom Inc.
Is SET the Answer to eCommerce? • SET has been proposed as the answer to secure and interoperable eCommerce • It is not currently mandated by Visa and MasterCard • There are big implementation issues for all concerned • The SET protocol is definitely more secure than SSL NGN99 T6 (c) 1999 David Strom Inc.
SET Issues • Implementation of SET has some big drawbacks: • Lack of interoperability among systems • Management of public key infrastructure • Distribution of digital certificates requires action on the part of the consumer • Will banks want to become cert authorities? • And who will pay for all this? • Meanwhile, eCommerce goes on NGN99 T6 (c) 1999 David Strom Inc.
The Future of SET • Non-repudiation of transactions through digital certificates for both merchant and customer • SET may be the industry standard for payments, but yet to be implemented • It will be far more difficult for a customer to claim no knowledge of a transaction • Demonstrations continue NGN99 T6 (c) 1999 David Strom Inc.
Another View of SET (Lincoln Stein) “An over-engineered, committee-designed solution to a nonproblem, a boondoggle invented by hidebound credit-card companies panic-stricken over the prospect of not getting their piece of the Internet pie.” WebTechniques, 8/98 NGN99 T6 (c) 1999 David Strom Inc.
What About eWallets and SET? • Verifone® vWALLETSM • GlobeSET (SET now, server-side non-SET later) • Transactor/Citibank Wallet (Jscript bookmark) • eWallet.com (only SSL) • Microsoft Wallet (in Win98, IE 4.01) (both SSL and SET) NGN99 T6 (c) 1999 David Strom Inc.
What’s in an eWallet? • Credit card accounts • Debit card accounts • Checking accounts NGN99 T6 (c) 1999 David Strom Inc.
All of These Have in Common • Access to your accounts • Credit card and other account numbers are stored by the service provider in a database, or on your hard disk • These numbers are not transmitted to the merchant • Consumer must initiate account set-up in advance of making any purchases NGN99 T6 (c) 1999 David Strom Inc.
How Electronic Wallets Work Today • Consumer must initiate request for electronic “wallet” software • Credit card or other account numbers are given to provider one time before any purchases are made • Closed system: only available to participating merchants and cardholders who have signed up in advance NGN99 T6 (c) 1999 David Strom Inc.
How Electronic Wallets Will Work in the Future • With SET protocol, will contain digital IDs with encrypted account information • Since digital IDs will be tied to specific accounts, wallets will keep track of all that information • At that point, wallets will be widely distributed and universally accepted NGN99 T6 (c) 1999 David Strom Inc.
Interoperability is the Key • Wallets will become widely used when the following events occur: • Mass distribution of wallets to consumers is easily made • Will be accepted by all merchants, regardless of wallet brand or payment brand NGN99 T6 (c) 1999 David Strom Inc.
eWallet Demonstration NGN99 T6 (c) 1999 David Strom Inc.