The Analyst's Couch

Unbound Opinions from Industry Observers

A False Sense of Online Security

By Terry Bernstein

Joe, an avid Internet surfer, decides to buy flowers for his wife on the Internet. This is the first time he has bought flowers electronically, so he surfs awhile before finding a nice-looking flower-shop Web site. He selects his gift and pays by credit card. Joe feels pretty safe, because the site is protected using encryption, through the Secure Sockets Layer (SSL) protocol. Unbeknownst to Joe however, the site is a fake--his credit card number has just been stolen, and his wife will never receive the flowers Joe believes he just ordered.

What's going on here? Aren't encryption and certificates the answer to the Internet security problem? Unfortunately, they are just a piece of the puzzle--and perhaps a misleading piece at that. As Joe found out the hard way, there is more to security than just raw technology. The proper institutions and procedures must be in place for the total system to be secure.

Let's back up a second, and review encryption and certificate technology as they are currently implemented on the World Wide Web. Each secure site is required to obtain a site certificate that identifies the universal resource locator (URL) of the site and provides a verification of the site's public key. The certificate lets users at the other end of the connection know to whom they are talking. Using the secure site's public key as a starting point, the Web browser and server choose a secret key to encrypt all subsequent traffic. When the system works, the transmitted data is secure from unwanted eyes, and the user has a reasonable chance of getting to the correct party on the other end.

The problem that Joe ran into is that a valid certificate by itself does not guarantee anything. In addition to his browser accepting the site's certificate, Joe needs to know something about how that site received its certificate in the first place. It's entirely possible that the site received its certificate simply by sending e-mail to one of the new certificate authorities springing up on the Internet. On the other hand, the site's owners may have had to go to great lengths to prove their identity to the certificate issuer. The point is that Joe doesn't know which was the case, and the current versions of popular Web browsers don't help him.

Of the two most popular browsers, one doesn't provide any information at all about a given site's certificate. The other browser tells you who issued the certificate and how long it is good for. It does not provide any information about how the certificate was issued, but at least interested users would have a starting point toward finding this out on their own.

Certifying the Certificate

To conduct any type of transaction, whether electronic or in person, there must be a certain amount of trust between the two parties. In the physical world, you often present a valid driver's license to prove your identity. If you tried to present your health club membership card instead, the other person would probably laugh at you. The difference is that we believe the Department of Motor Vehicles had a relatively secure process for establishing identity, while the health club is assumed to have less rigorous methods. In the electronic world, we have been led to believe that a valid certificate that causes a key to pop up in the corner of our browser should convey trust. In reality, you must also understand what went on behind the scenes for the site to obtain that certificate before you can really have a feeling for how much trust you should place in that site.

The solution to this problem is twofold. First, users, especially corporate users, must be educated about the real significance of certificates. Second, there must be an easy way to determine exactly how a certificate was issued. Ideally, the user could view the certificate issuing policy in a simplified form directly from the browser. On the positive side, VeriSign, a major issuer of certificates based in Mountain View, CA, has recently published a detailed explanation of its policies and procedures. This is good practice, but the average user will never set foot in the VeriSign Web site.

The certificate problem is just one among many organizational, educational and political issues which must be dealt with before the Internet is ready for large-scale electronic commerce. The technical challenges are relatively easy to solve; it's the other things that are likely to hold up the process. I'm confident that eventually the Internet will become the major commercial zone envisioned by many, but it won't happen as quickly or as easily as some technologists hope.

Terry Bernstein is a consultant in the information technologies practice at SRI International in Menlo Park, CA.

Did something in this column press one of your hot buttons? Then let us hear what you think by sending a response to pubs@uniforum.org. We'll consider it for publication in "Letters to the Editor."