The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001
The Dirty Little Secret Exposed • People know about the lock symbol • It means my credit card is safe…but they assume too much about who it is being given to! • SSL – the technology behind the lock – involves authentication of the business AND encryption of the sensitive info • But • No one knows about the auth part and not knowing is very dangerous • Auth by itself is very valuable to even more of the net than encryption • Encryption by itself is also very important and can be done faster if simple auth is performed
The Lock SymbolWhat It Means…and What It Doesn’t • The protocol the browser and server will use to communicate all data is SSL – Secure Socket Layer. • All data transmitted in either direction will be encrypted so as to prevent any nefarious eavesdropper. • Your browser recognizes the authority of and has the public key of the certificate authority that issued and signed the server’s certificate. • The web domain of the server has been registered with the certificate authority and is indeed a legitimately registered web domain
Example: I want to book and buy a ticket on line. Standard way to access a Web site via non-secure connection. If anyone ever checked, the site business identity cannot be verified. No lock symbol means no security and no encryption.No one knows to click here.
OK, I’m ready to purchase and give my credit card – to United right? It really is United right? Click-1 shows that this certificate was issued to www.itn.net. Who is this? And what do they have to do with United Airlines? Click on the “Details” tab to dig deeper. Lock symbol appears because I am about to enter credit card info but unbeknownst to most everyone, it is clickable
You have to dig really deeply into crypto-arcanery to get to the identity information such as it is. Click-2 gives access to the contents of the server’s digital certificate. The site business identity is still not available. Click on the “Subject” field to dig deeper.
We learn the hard way that this is actually not United at all. The Web pages still say United and yet its not United. How often is that going on? A lot! Finally, after 3 clicks, the authenticated identity of the site business owner is available. It is right after the ‘O = ‘ and in this case it is GetThere.com, Inc. Intuitive and accessible… NOT. Really usable identity information…NOT. AND IT IS NOT EVEN UNITED AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD TO.
So… • SSL is not about identity. It is about encryption between your browser and some server • Yet, in any transaction, the first and most important question is WHO am I dealing with? • How do we get that done simply, securely and reliably on the Web?
Identity – why its so important “The concept of trust is crucial because it affects a number of factors essential to online transactions, including security and privacy. Trust is also one of the most important factors associated with branding. Without trust, development of e-commerce cannot reach its potential.” -- Cheskin July 2000
Pure Identity Trust:True Site™ A “smart icon” that is placed on a Web page(s) that identifies the site is legitimate, authentic, and validated via an active call to a trusted 3rd party True Site requires a simple integration for the Web site owner. An HTML <IMG> tag is added to the page to securely confirm identity and protect against site spoofing. Copying of the seal is prevented. Policing that the seal is installed on a valid site is performed.
Identity must be based on securely tying the site to an authenticated entity. We must take into account that people don’t necessarily click. If they do click, the info should be what they can use. Click-1 shows additional business credentials that are valuable to the user and that strengthen the legitimacy and authenticity of the site. Confirmed identity of the site business owner with time stamp is presented on the TrueSite Seal. No click required to verify identity in either secure or unsecure mode. ---- Click to see additional business credentials.
Its fundamental to the Web to be open. So normally, if you see it, you can copy it. And because seals are valuable to people, copy them they do. Any image on a Web page can usually be copied with a simple right click. This is how seals are stolen and put on any other site that has no right to them. This is why most seals have limited value and credibility.
Seals are abused all over the Web. Yet they still are in favor because they offer a hint of credibility and legitimacy through endorsement. But the seal, to be valuable must mean something and must protect itself from abuse. • The TrueSite Seal is unique: • It is not stored on the Web site. • Its embedded business identity and time stamp are generated dynamically via real-time calls to the GeoTrust global credentials repository. • It provides robust copy protection.
Site spoofing – the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals – is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud. I spoofed this site to my own personal Web server. (It took less than a minute.) • The TrueSite Seal is unique: • Since the image is generated on a remote secure server, • And since the fully-qualified domain name of my Web server is not the correct one, • The image is not generated at all… • Spoof and Poof gone!
Site spoofing – the whole sale copying of an entire site to a new location usually with changes consistent with the perpetrators goals – is prevalent. Identity trust will be lost if the mechanism does not protect against such fraud. It’s a spoofed site that is NOT 123registration and they have no control over what I do with these pages and yet the old style seal says … …nothing wrong!
So… • We can create a solid foundation of identity based on real world authentication • We can deliver this to real users in a simple, useful way • We can protect these mechanisms so that they mean something • And they can and should be used in conjunction with SSL to identity who the encrypted transactions go to
The Dirty Secrets are Out in the Open • SSL does not provide identity but is great for encryption • Identity is the most important thing for building trust and brand • Identity does require authentication and will continue to take days (True Site™) • SSL can be provisioned in minutes (QuickSSL™) • The combination takes the Internet a critical next step in its evolution