Phishing is the fastest growing threat in the history of Internet and has gained immense popularity amongst Internet fraudsters and hackers as a simple yet effective way to gain unsolicited access to confidential user information.
Using social engineering tactics, fraudsters ensure that the trust relationship established by a company with its customers is exploited to maximum effect. It is for this reason that moving towards stronger identity assurance techniques is the only long term strategy that will maintain the stability of the Internet.
Identity and authentication are fundamental concepts in every marketplace. People and institutions establish trust before conducting business. Traditionally there has been a reliance on physical credentials such as a business license or a letter of intent. In the age of the Internet, e-business will only succeed if this ability to pass trust remains consistent. Authenticated SSL certificates have been proven to provide the critical online identity assurance necessary to establish trust between parties. In fact the future success of a multitude of e-commerce eco- systems rests directly upon the continual strengthening of that trust relationship.
WHY DO WE NEED ENCRYPTION?
The Web presents a unique set of trust issues, which businesses must address at the outset to minimize risk. Consumers submit information and purchase goods or services via the Internet only when they are confident that their personal information, such as credit card numbers and financial data, is secure. The solution for businesses reliant upon e-commerce is to implement a complete e-commerce trust infrastructure based on encryption technology. Let us take a closer look at "encryption". The dictionary definition is:
 using a secret code so as to be unintelligible to unauthorized parties.
3. The manipulation of data to prevent accurate interpretation by all but those for whom the data is intended. Financial institutions use encryption to increase the security of data transmitted via the Internet.
So in essence encryption is the process of transforming information to make it unintelligible to <b>all unauthorized parties </b>except the intended recipient and forms the basis of data integrity and privacy which is necessary for e-commerce. What this means is that the whole purpose of encryption is to make sure that the <b>intended recipient </b>is the only one who receives in intelligible form the information which has been encrypted.
Unless you have authenticated the )
Let's look at SSL itself in more detail.
What is SSL?
Established by Netscape in 1994, the SSL protocol is now widely accepted as a method of providing confidentiality, authentication and integrity for on-line transactions. Companies such as VeriSign and Comodo deliver high assurance certificates to individuals and organization's following a subscriber authentication process that includes verification of the organizations existence, the organization's right to use the domain name included within the certificate and the authority of the requester to obtain a certificate on behalf of the organization.
The original concept from Netscape stated:-
- "Third-party CAs are critical for some applications. For example, a bank that wishes to put a server on the Internet for online banking cannot just issue its own certificate to that server and ask customers to believe that it really is the bank's server. Instead, the bank will purchase a server certificate from a third-party CA. The third-party CA takes responsibility for performing due diligence and ensuring that the company requesting the certificate really is the company it says it is before issuing the certificate."
The use of SSL certificates is a critical building block for secure electronic commerce and one of the most ubiquitous uses of public key infrastructure (PKI). SSL certificates are "High Assurance" if they provide three security services - confidentiality, authentication and integrity. They enable a user to:
- Communicate securely with a web site - Information which the user then provides cannot be intercepted in transit (confidentiality) or altered without detection (integrity)
- Verify that the site is actually the company's web site and not an imposter's site (authentication) For example, an SSL certificate with the organizational name "ABC Software Inc." is intended to provide assurance that the Web site being viewed (e.g. www.abcsoftware.com) is actually an ABC Software Inc Web site (and not a "spoofed" site created specifically by another, unrelated entity to trick unsuspecting web surfers into doing business with someone pretending to be ABC Software Inc.) Why is it important? A domain name URL (uniform resource locator) is equivalent to a telephone number. It is assigned to a paying customer (organization or individual) for the period of time it is registered. The domain name system was designed to support open-systems information flow. While there are restrictions on certain types of domains (e.g. .mil is restricted to US military entities, .fr is restricted to organizations physically located in France), there are no such restrictions on .com, .org, .net and others. To register for these types of domains the individual or organization need only pay an annual fee. There is no requirement for registrars to verify the accuracy of the information provided.
- The validation techniques followed by Certification Authorities should constantly be reviewed, refined and improved.
- The techniques should be audited by a centralized independent body.
- Proven adherence to those techniques should form the minimum entry criteria for any Certification Authority to have their root certificates accepted by Browser providers. The goal of ever increasing security should drive future standards with entity authentication an absolute minimum where encryption and trust is required. After all, What is the point of encryption if you don't know who for? i. http://news.netcraft.com/archives/web_server_survey.html iii. http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm v. http://archive.dante.net/np/ds/osi/9594-6-X.520.A4.ps Dr. Colin Walter has a formidable international reputation in the design of hardware and algorithms for the implementation of RSA cryptography. He is on the programme committee of several international conferences (e.g. CHES and ARITH) and has given invited lectures on many occasions. He obtained his doctorate in algebraic number theory from Cambridge University and he is a senior member of the IEEE. Colin is most well-known to the international community for his invention of the first ever purely locally connected systolic array for modular multiplication. This enables servers to perform the calculations for very large numbers of SSL key exchanges at once. Recent research has led to the MIST algorithm, patented by Comodo, which is a key ingredient in the secure implementation of electronic purses on smartcards.
.
However, changes in the SSL certificate marketplace have posed a significant security risk with a huge potential threat to consumer confidence in the security of online commerce.
<img src=)
 now has the ability to display organizational (entity) information directly from the web site's SSL certificate.
<img src=)
Entity information is available from the SSL certificate.
 to be able to understand the level of assurance provided. Industry standards for subscriber registration require that a certification authority (CA) maintains controls to provide reasonable assurance that:
<li>Subscribers are properly identified and authenticated, </li>
<li>Subscriber certificate requests are accurate, authorized and complete. </li>
A certification authority's code of practice is detailed in a CPS (Certificate Practice Statement) or disclosed within the CA's published certificate policy (CP). There are three fundamental verification steps necessary to be able to issue an SSL certificate to an organization:
<li>Domain ownership - Does the organization or individual have the right to use the Domain identified on the certificate? </li>
<li>Confirmation of legal status - Is the organization a legal entity? </li>
<li>Confirmation of the requestor's authorization - Does the individual making the request have authorization from the organization to make the said request? </li>
The importance of the validation steps are identified in the risk table below. In general, an internet user incurs a higher risk if any verification steps are not performed. In each example scenario, the failure to complete the specified checks could expose:
<li>Unsuspecting Internet users to direct financial loss due to fraud. </li>
<li>The legitimate organization to direct financial loss due to fraud, or undue business risk and loss or productivity, or public relations, or legal action. </li>
<li>The certification authority to undue business risk, bad public relations or legal action. </li>
Example ScenarioRisk or Threat Posed
<ul> <li>No authentication of the organization by the CA or <ul> <li>No check of the applicant's right to use the domain name A malicious individual operating a spoofed web site tries to masquerade as an existing organization, thus deceiving Internet users into believing that the individual's web site is operated under the auspices of an existing organization whose name is included in the SSL certificate. This then creates a false level of trust by association between the malicious individual and the legitimate organization.
<ul> <li>No check of the organization's existence by the CA A malicious individual could pretend to be an organization even though no such organization exists (i.e. the articles of incorporation or business documents have not been registered with the appropriate government body)
<ul> <li>No check by the CA of the applicant's identity or of his authority to request a certificate for the organization A malicious individual who is not authorized by the organization could obtain an SSL certificate bearing the organization's name, allowing the malicious individual to masquerade as the organization
SSLv2 versus SSLv3/TLSv1 and Assurance Level
It's now widely accepted that SSLv2 was insecure. A critical failing of SSLv2 was its susceptibility to a Man-in-the-Middle attack . With SSLv2, it was not possible to guarantee that you were communicating securely with the owner of the private key.
With SSLv3 and the equivalent TLSv1 you can now be sure that only the owner of the server's private key can decrypt any information sent. However, as we have already established, where Low Assurance SSL is used, no entity authentication is performed and therefore it is not possible to know who the owner of the private key is. SSLv3.0 is therefore open to a Man-in-the-middle attack with Low Assurance SSL.
<img src=)
With no entity authentication consumers have no ability to know if they are subject to a man-in-the-middle attack.
The Legal implications of using Low Assurance SSL certificates.
The role of a Certification Authority (CA) is to certify that an applicant is a legitimate and legally accountable entity. Consumers are afforded far greater protection with High Assurance SSL certificates in the event of a legal claim they have lines of recourse.
Low Assurance SSL certificates provide no legal recourse, and consumers remain unprotected. The actual implication for the user who relies upon an enterprise or business that purchases a low assurance SSL certificate has not yet been tested through the courts.
What actually is the difference between High Assurance and Low Assurance?
As we have established, High Assurance validation is about "Certifying the end entity" and therefore "authenticating the intended recipient".
Low assurance processes fail to "authenticate the intended recipient" as discussed earlier in the definition of "encryption". The only item validated is control of a domain. Domain names are themselves susceptible to vulnerabilities.
DNS cache poisoning is a technique which corrupts the DNS (Domain Name System) injecting false information into the system so that future requests can be diverted from their intended destinations. In a DNS poisoning attack it is possible for a localized domain of the same name to exist, and therefore possible for a second fraudulent Low Assurance SSL to be created. As no other checking is done an attacker can obtain an SSL certificate for any domain name that can be affected by a DNS poisoning attack. Low Assurance SSL certificates are susceptible to DNS cache poisoning attacks.
Low Assurance SSL and compliancy to International Standards
SSL certificates must conform to internationally recognized standards for interoperability and are thus X.509 compliant. The data structure within X.509 itself makes use of another International standard, namely X.520:
5.4 Organizational attribute types
These attribute types are concerned with organizations and can be used to describe objects in terms of organizations with which they are associated.
5.4.1 Organization Name
The Organization Name attribute type specifies an organization. When used as a component of a directory name it identifies an organization with which the named object is affiliated.
An attribute value for OrganizationName is a string chosen by the organization (e.g. O = "Scottish Telecommunications plc"). Any variants should be associated with the named Organization as separate and alternative attribute values.
organizationName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString {ub-organization-name}
ID id-at-organizationName }
The Collective Organization Name attribute type specifies an organization name for a collection of entries.
collectiveOrganizationName ATTRIBUTE ::= {
SUBTYPE OF organizationName
COLLECTIVE TRUE
ID id-at-collectiveOrganizationName }
Here the 'O' - Organization field does not contain the organization "Better Business Bureau" so consumers have no ability to verify that the certificate actually belongs to that organization.
IS THERE SUCH A THING AS 100% SECURITY?
Is entity authentication the answer to achieve 100% security?
The answer is no, as 100% security does not exist! Any security related process or product is vulnerable! Security is about "risk mitigation".
Can the validation systems we have in place today be fooled or circumvented? Yes they can, but is this a reason to abolish them? Of course not! It's rather like saying, because our doors within our homes can be broken, let's remove them completely! It's ridiculous to even suggest this. What we need is even more security processes, products and service to secure ourselves. Removing what little protection we have is, irresponsible, short sighted and wrong!
Low Assurance SSL provides little of any value and this is often reflected in its low price.
The organizations offering Low Assurance SSL should immediately increase the level of validation they perform and work to identify better and stronger forms of entity authentication. Certification authorities should raise the bar, not lower the bar.
An entity obtaining a fully validated High Assurance certificate for use in committing fraud would leave an audit trail. Law Enforcement authorities would have more chance to secure a conviction.
IN SUMMARY
An SSL encrypted session between web browser and the web server provides a secure tunnel, but by default does not provide assurance in the identity of the end entity. Whilst a few high assurance providers continue to offer high assurance validation processes, many more low assurance providers are entering the market offering high speed, low value automated validation procedures. These low assurance products are not appropriate for encryption and do not provide either reliable privacy or trust.
Enterprises have a responsibility to ensure that the use of high assurance SSL certificates provides customers with the identity assurance and confidence to make safe, secure on-line transactions.
No comments yet. Be the first to comment!