Indian Institute of Information Technology - Allahabad
technova - Article 1
Alumini of IIIT-A (Btech-IT, 2005)
Master of Information System Management
Cargenie Mellon university , Pittsburgh , US
A “secure” website is one that uses encryption and authentication standards to protect the confidentiality of information sent during Web transactions. Encryption scrambles the data such that only the client computer and the Web server involved in the transaction can decipher the personal or confidential information. The most common protocol used for securing web sites is Secure Socket Layer (SSL). When we connect to a Web site using SSL, our Web browser confirms the identity of the server, or authenticates it, using a digital certificate.
Most Web browsers are configured by default to use SSL for secure sites and to warn us when we enter or leave a site using SSL. Most browsers also display a security icon, usually a small locked yellow padlock, when we are on a secure website. Also, URL of Secure websites starts with https:// instead of just http://.
For transmitting confidential information such as passwords, credit card details etc, secure websites should be used. The Internet presents various trust issues, which must be addressed by businesses to minimize risk. Consumers submit information and purchase goods or services on the Internet only when they are confident that their personal information, such as credit card numbers and financial data, is secure.
"High Assurance" certificate authorities (CAs) (like VeriSign, Comodo) perform authentication for us with due diligence, and put their name in the SSL certificates which they sign. Until recently, all server (SSL) certificates issued by public certification authorities (CAs) were high assurance certificates only - issued to organizations after a subscriber authentication process that included verification of organization’s existence, organization’s right to use the domain name included in the certificate and authority of the requestor to obtain a certificate on the behalf of the organization. Such certificates offer all 3 security services –
Confidentiality – information provided by the Internet user cannot be intercepted in transit.
Authentication – verify that Internet user is actually at the company’s web site and not an imposter’s site.
Integrity – information being transferred cannot be altered without detection.
This is not done by "Low Assurance" CAs which issue SSL certificates (at lower cost and rapid order fulfillment) without authenticating the subscriber, thus providing only 2 security services – confidentiality and integrity. This conflicts with the generally accepted industry practices and serves as a source of confusion for Internet users. The purpose of encryption is to make sure that only the intended recipient receives the encrypted information in intelligible form. If we don’t know who the intended recipient is (authentication), encryption is useless.
Using current browser technology, it is difficult to distinguish between higher and lower assurance server certificates. As long as the SSL certificate is linked to a trusted Root CA and the common name in the certificate matches the domain name of the visited web site, browser will not generate an alert and consumer would generally trust the certificate. Browsers are generally not configured to check certificate status by default. Thus, it is very difficult for an Internet user to distinguish between a valid SSL certificate and a revoked one.
Thus, without a pre-existing trust relationship, consumers have no trusted method available to verify the ownership of a web site and therefore are completely reliant upon the entity authentication processes performed by Certification Authorities. If no authentication process is performed then this forces consumers to gamble with privacy and confidentiality. Users can no longer rely on the yellow padlock, but need to understand the contents of SSL certificate to distinguish between varying levels of assurance.
Secure Websites: Are they really secure?