Docstoc

SSL

Document Sample
SSL Powered By Docstoc
					The E-commerce business is all about making money and finding ways to make more money. It’s hard to make money, when consumers don’t feel safe executing a transaction on your web site. This is where security issues arise. E-Commerce Security in simple words, means – keeping your site and customer data safe. It’s by the protection from Fraud, Theft, Disruption of Service and Loss of Customer loyalty. For which we need to follow certain basic principles. Customer Security – Basic Principles Most of the companies leave all the security mechanics to their hosting company or IT staff, but it helps to understand the basic principles. Any system has to meet four requirements: Privacy: Information must be kept from unauthorized parties. Integrity: Message must not be altered or tampered with. Authentication: Sender and recipient must prove their identities to each other. Non-Repudiation: Poof is needed that the message was indeed received. Privacy is handled by encryption. In PKI (public key infrastructure) a message is encrypted by a public key, and decrypted by a private key. The public key is widely distributed, but only the recipient has the private key. For authentication, (proving the identity of the sender, since only the sender has the particular key) the encrypted message is encrypted again, but this time with a private key. Such procedures form the basis of RSA (used by banks and governments) and PGP (Pretty Good Privacy, used to encrypt emails). Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often used only as a first step – to allow two parties to agree upon a key for symmetric secret key encryption. Here sender and recipient use keys that are generated for the particular message by a third body: a key distribution center. The keys are not identical, but each is shared with the key distribution center, which allows the message to be read. Then the symmetric keys are encrypted in the RSA manner, and rules set under protocols. Naturally, the private keys have to be kept secret, and most security lapses indeed arise here. Digital Signature Act (October 1, 2000) • A contract or agreement in interstate or foreign commerce will not be denied legal effect, validity, or enforceability if the contract or agreement is in electronic form and is signed by an electronic signature. Note that the act covers only foreign and interstate commerce. Therefore, where both parties to a contract are in the same state, the law would not seem to apply. However, most states have enacted their own digital signature laws, which cover intrastate transactions. The Act permits, but does not require the use of an electronic signature. A legal requirement to furnish a record to a consumer in writing can be satisfied by an electronic record, so long as the consumer consents. A legal record retention requirement can be satisfied with electronic records.

• • •

What is a Digital Signature? It is a type of asymmetric cryptography used to simulate the security properties of a handwritten signature on paper. Digital signature schemes normally give two algorithms, one for signing which involves the user’s secret or private key, and one for verifying signatures which involves the user’s public key. The output of the signature process is called the ―digital signature‖. A Signature provides authentication of ―message‖. Messages may be anything from electronic mail to a contract. Digital signatures are used to create public key infrastructure (PKI) schemes in which a user’s public key is tied to a user by a digital identity certificate issued by a certificate authority. PKI schemes attempt to unbreakably bind user information to a public key, so that public keys can be used as a form of identification. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature but not all electronic signatures use digital signatures. In some countries, including the US and the EU electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear their applicability towards cryptographic digital signatures, leaving their legal importance somewhat unspecified.

Benefits Authentication Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake. Integrity In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the

message will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance). Drawbacks of digital signatures Despite their usefulness, digital signatures do not alone solve all the problems we might wish them to. Association of digital signatures and trusted time stamping Digital signature algorithms and protocols do not inherently provide certainty about the date and time at which the underlying document was signed. The signer might, or might not, have included a time stamp with the signature, or the document itself might have a date mentioned on it, but a later reader cannot be certain the signer did not, for instance, backdate the date or time of the signature. Such misuse can be made impracticable by using trusted time stamping in addition to digital signatures. Non-repudiation In a cryptographic context, the word repudiation refers to any act of disclaiming responsibility for a message. A message's recipient may insist the sender attach a signature in order to make later repudiation more difficult, since the recipient can show the signed message to a third party (eg, a court) to reinforce a claim as to its signatories and integrity. However, loss of control over a user's private key will mean that all digital signatures using that key, and so ostensibly 'from' that user, are suspect. Nonetheless, a user cannot repudiate a signed message without repudiating their signature key. It is aggravated by the fact there is no trusted time stamp, so new documents (after the key compromise) cannot be separated from old ones, further complicating signature key invalidation. Certificate Authorities usually maintain a public repository of public-key so the association user-key is certified and signatures cannot be repudiated. Expired certificates are normally removed from the directory. It is a matter for the security policy and the responsibility of the authority to keep old certificates for a period of time if a non-repudiation of data service is provided. Additional security precautions Putting the private key on a smart card All public key / private key cryptosystems depend entirely on keeping the private key secret. A private key can be stored on a user's computer, and protected by, for instance, a local password, but this has two disadvantages:


the user can only sign documents on that particular computer and



the security of the private key completely depends on the security of the computer, which is notoriously unreliable for many PCs and operating systems.

A more secure alternative is to store the private key on a smart card. Many smart cards are deliberately designed to be tamper resistant (however, quite a few designs have been broken, notably by Ross Anderson and his students). In a typical implementation, the hash calculated from the document is sent to the smart card, whose CPU encrypts the hash using the stored private key of the user and returns it. Typically, a user must activate his smart card by entering a personal identification number or PIN code (thus providing a two-factor authentication). Note that it can be sensibly arranged (but is not always done) that the private key never leaves the smart card. If the smart card is stolen, the thief will still need the PIN code to generate a digital signature. This reduces the security of the scheme to that of the PIN system, but is nevertheless more secure than are many PCs. A mitigating factor, however, is that private keys, if generated and stored on smart cards, are usually regarded as not easy to copy, and thus often assumed to exist in exactly one copy. Thus, the loss of the smart card may be detected by the owner and the corresponding certificate may (and in fact, should) be immediately revoked. Private keys that are protected by software only may be easier to copy, and such compromises are far more difficult to detect. Using smart card readers with a separate keyboard Entering a PIN code to activate the smart card, commonly requires a numeric keypad. Some card readers have their own numeric keypad. This is safer than using a card reader integrated into a PC, and then entering the PIN using that computer's keyboard. The computer might be running a keystroke logger (by its owner/operators intention or otherwise -- due to a virus, for instance) so that the PIN code becomes compromised. Specialized card readers are less vulnerable, though not invulnerable, against tampering with their software or hardware. And, of course, eavesdropping attacks against all such equipment are possible. Other smart card designs Smart card design is an active field, and there are smart card schemes which are intended to avoid these particular problems, though so far with little security proofs. Using digital signatures only with trusted applications One of the main differences between a digital signature and a written signature is that the user does not "see" what he signs. The user application presents a hash code to be encrypted by the digital signing algorithm using the private key. An attacker who gains control of the user's PC can possibly replace the user application with a foreign subsitute, in effect replacing the user's own communications with that of the attacker's. Thus, the malicious application can trick the unwitting user into signing any document by displaying the user's original on-screen, but presenting the attacker's own documents (probably less favorable) to the signing application.

To protect against this scenario, a authentication system can be setup between the userapplication (word-processor, email client, etc.) and the signing-application. The general idea is to provide some means for both the user app and signing app to verify each other's integrity. (For example, the signing application may require all requests to come from digitally-signed binaries.)

Secure Socket Layers Information sent over the Internet commonly uses the set of rules called TCP/IP (Transmission Control Protocol / Internet Protocol). The information is broken into packets, numbered sequentially, and an error control attached. Individual packets are sent by different routes. TCP/IP reassembles them in order and resubmits any packet showing errors. SSL uses PKI and digital certificates to ensure privacy and authentication. The procedure is something like this: the client sends a message to the server, which replies with a digital certificate. Using PKI, server and client negotiate to create session keys, which are symmetrical secret keys specially created for that particular transmission. Once the session keys are agreed, communication continues with these session keys and the digital certificates. That’s where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock (more) money from your customers. What is SSL? Since its introduction in 1994, SSL has been the defacto standard for e-commerce transaction security and is likely to remain so into the future. SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information) which prevents the "bad guys" from stealing your information for malicious intent. You know that you're on an SSL protected page when the address begins with "https" and there is a padlock icon at the bottom of the page (and in the case of Mozilla Firefox in the address bar as well). Your browser encrypts the data and sends to the receiving website using either 40 -bit or 128-bit encryption. Your browser alone cannot secure the whole transaction and that's why it's incumbent upon e-commerce site builders to do their part. SSL Certificates At the other end of the equation, and of greatest importance to e-commerce site builders is the SSL certificate. The SSL certificate sits on a secure server and is used to encrypt the data as well as to identify the site. The SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, the root and the country it was issued in.

SSL certificates come in 40-bit and 128-bit varieties, though 40-bit encryption has been hacked. As such, you definitely should be looking at getting a 128-bit certificate. Though there a wide variety of ways in which you could potentially acquire a 128-bit certificate, there is one key element that is often overlooked in order for full two-way 128-bit encryption to occur. According to Chad Kinzelberg, VP Security Services at SSL certificate vendor VeriSign, in order to have 128-bit encryption you need a certificate that has SGC (server grade cryptography) capabilities. How to Get an SSL Certificate The Wrong Way There are two principal ways of getting an SSL certificate: you can either buy one from a certificate vendor or you can  93 percent of online "self-sign" your own certificate. That is, using any number shoppers surveyed of different tools (both open source and proprietary) you by VeriSign reported can actually sign your own SSL certificate and save the that they felt it time and expense of going through a certificate vendor. important for an ecommerce site to Though, technically speaking, the data may be encrypted, include a trust mark there still is a fundamental problem with self-signing that of some kind on defeats part of the purpose of having an SSL certificate in their site. the first place.  64 percent have abandoned a shopping cart/basket "The problem is 'how does the rest of ecosystem know the site is legitimate?'" explained VeriSign Kinzelberg. "Selfbecause they didn't signing a certificate is like issuing yourself a driver's get a sense of license. Roads are safer because governments issue security and trust when it came time to licenses." provide payment "We're making sure that the roads are safe. This is the role information. of the certificate authorities. Certificate authorities make  75 percent of online sure the site is legitimate," he added. shoppers will only make purchases Self-Signed certificates will trigger a warning window in through sites that include a trust mark. most browser configurations that will indicate that the certificate was not recognized. VeriSign Kinzelberg admits that there are a lot of people that will click through anyway just like there are a lot of people that will click through an expired SSL certificate as well. Trust Stats from VeriSign "We, as an industry, want to educate people that that's the kind of thing they should not be doing. It's not safe e-commerce activity," Kinzelberg said. A site that conveys trust is also more likely to be a site that makes (more) money. There is research that suggests that having a recognizable SSL certificate may in fact have a direct correlation to increased e-commerce sales. VeriSign in particular has done some research that shows that users who visit sites that have a recognizable trust mark

(like the VeriSign Secure Site seal) are more comfortable shopping on those sites, have fewer abandoned shopping carts and better repeat purchases. Joan Lockhart, VP of Marketing at SSL certificate vendor GeoTrust, argues that the price of an SSL certificate, from the least expensive provider to the most expensive provider, is a miniscule cost in the overall scheme of e-commerce. "The margin on a single transaction could pay for the cost of a certificate, so it's not really about ROI," Lockhart said. "It's about conveying trust to your consumers." Choosing an SSL Certificate Vendor According to GeoTrust Lockhart there are several things that buyers should look for when purchasing a certificate:
     

Reputation and credibility of the CA (Have they been in business for awhile? Do they have lots of customers?) Ubiquity of the root (is it embedded in all of the popular browsers?) Root is owned by the CA (and not chained to someone else's root) Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if compromised, etc.) Ease of acquiring the certificate Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they delegate this to their resellers?)

Conclusion You are who you say you are. You have nothing to hide and you are running a legitimate e-commerce business that you want consumers to feel comfortable doing business with and trust. The SSL certificate system exists to help promote the security and integrity of e-commerce for everyone. In an era where phishing scams run rampant and trust is king, a proper SSL certificate may well be your key to e-commerce success. PCI, SET, Firewalls and Kerberos Credit card details can be safely sent with SSL, but once stored on the server they are vulnerable to outsiders hacking into the server and accompanying network. A PCI (peripheral component interconnect: hardware) card is often added for protection, therefore, or another approach altogether is adopted: SET (Secure Electronic Transaction). Developed by Visa and Mastercard, SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant, customer and bank. More importantly, sensitive information is not seen by the merchant, and is not kept on the merchant's server. Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and hackers. Equally important is protection from malice or

carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized employees. Transactions Sensitive information has to be protected through at least three transactions:


 

credit card details supplied by the customer, either to the merchant or payment gateway. Handled by the server's SSL and the merchant/server's digital certificates. credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway. order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates (and payment gateway sometimes).

Practical Consequences 1. The merchant is always responsible for security of the Internet-connected PC where customer details are handled. Virus protection and a firewall are the minimum requirement. To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage service. Always keep multiple back-ups of essential information, and ensure they are stored safely offsite. 2. Where customers order by email, information should be encrypted with PGP or similar software. Or payment should be made by specially encrypted checks and ordering software. 3. Where credit cards are taken online and processed later, it's the merchant's responsibility to check the security of the hosting company's webserver. Use a reputable company and demand detailed replies to your queries. 4. Where credit cards are taken online and processed in real time, four situations arise: 1. You use a service bureau. Sensitive information is handled entirely by the service bureau, which is responsible for its security. Other customer and order details are your responsibility as in 3. above. 2. You possess an ecommerce merchant account but use the digital certificate supplied by the hosting company. A cheap option acceptable for smallish transactions with SMEs. Check out the hosting company, and the terms and conditions applying to the digital certificate. 3. You possess an ecommerce merchant account and obtain your own digital certificate (costing some hundreds of dollars). Check out the hosting company, and enter into a dialogue with the certification authority: they will certainly probe your credentials.

4. You possess a merchant account, and run the business from your own server. You need trained IT staff to maintain all aspects of security — firewalls, Kerberos, SSL, and a digital certificate for the server (costing thousands or tens of thousands of dollars). Security is a vexing, costly and complicated business, but a single lapse can be expensive in lost funds, records and reputation. Don't wait for disaster to strike, but stay proactive, employing a security expert where necessary

Protecting Yourself Our security theory and resources pages deal with theoretical matters, but here we provide some practical suggestions for keeping data safe, and not infringing the rules or law relating to tax, search engines and other traders. This page can only be an overview, a checklist of measures that unfortunately need to be implemented. Large companies can leave security matters to their IT division, but the entrepreneur and smaller trader should at least adopt those shown as * below. The complementary resources page lists sites providing advice, news and software: a few hours spent here will ensure safer operations and more peace of mind. You can scare yourself witless by reading the horror stories, but all that's needed by the average trader is a little forethought, some inexpensive software, mandatory routines and a plan to meet eventualities. Suppose a spyware program steals your passwords, or customer are bombarded with third-party credit card details? The office burns down, or you hosting company suddenly goes out of business? However rarely, all these things do happen. Draw up a continguency plan, circulate it, make sure it really works and that staff know what to do. Office Security The following are obvious but can be overlooked:
    

use hard-to-guess passwords, restrict access to them, and don't leave them in desk drawers or on PCs. ensure backups are made regularly, in sequence, and are intelligently labeled. check backups regularly, i.e. ensure that restores from backups are sound.* keep paper copies, and in a safe place. store copies of all essential information, preferable encrypted and off-site in: o zips disks, CDs, removable hard-disks, etc. o online storage facilities.*

Protection from Viruses Do the following:
   

consider using alternative browser(s). get the appropriate virus protection software, and keep it up to date.* install a decent firewall.* set passwords properly on networks ( IT manager's job).

Protection from Spyware Many computers are infected by spyware of some sort. Most are 'harmless', but an increasing number pass into viruses that will steal and transmit confidential information, even memorizing the keystrokes of passwords. You need to:
    

avoid keeping confidential information on any machine connected to the Internet.* run spyware removal software.* encrypt confidential information.* consider purchasing a special guide to spyware. visit security sites for information on the latest threats

Protection from Hackers Hackers break into computer systems, sometimes to prove themselves, sometimes with malicious intent. You need to:
  

install a firewall.* ensure sensitive information is encrypted.* maintain proper security (restrict access with passwords) in the office.

Protection from Fraud You don't have to accept every order, or not immediately. Escrow services are widely available. Trade associations and other institutions provide useful information and support. Payment service providers have levels of security. Your own order page can ask for further details, and its country drop-down list be amended to exclude the worst offenders.* Affiliate businesses need to be especially careful, and in these ways:
 

prevent competitors stealing their affiliate links by using inexpensive software for the purpose.* prevent bogus clicks-throughs by competitors who do not purchase: aim to bankrupt you with the pay-per-click search engines.



impression fraud by competitors aiming to lower your click-through rates and so disqualify your ads with Google.

The last two scams are often outsourced to low-wage outlets and/or employ special software. You'll need to track your clicks with special click auditing software (sometimes included in bid management software), or ensure that the company that runs your payper-click campaigns does so. Webservers Webserver security is highly technical, as you'll appreciate by reading the articles listed on the resources page. Obvious things to check or ask about:
    

     

the financial standing of the hosting company, and how long they have been in business.* guaranteed uptime* security protocols to cope with denial-of-service and hacker attacks.* regularity of backups: does it include user logs, product databases, order tracking logs, server-side scripts, etc.?* whois database (www.whois.net) to ensure that you and not the hosting company remain the administrative and technical contact for your domain and — most critically — the registrant of the domain.* backup: ring them at 3 a.m. Sunday morning if they claim 24/7 telephone support.* complaints procedure: you don't want your site dumped because of an unwarranted complaint from a competitor.* other sites being hosted with them (ask for webmasters to contact). Also check: association with spam or porn sites won't help your business.* the business address of the server (whois). Find the path to the server with a tracing program: with a reseller you'll find some other ISP's server.* visit forums to see what webmasters really think about hosting companies.* scrutinize the contract (and employ a business lawyer to check copyright, complaints, fees and service renewal / discontinuation matters).*

And:




host alternative company domains with another company: you can then switch painlessly if the first goes out of business or suffers a prolonged denial of service.* check your webmaster is implementing proper routines, including the updating of passwords regularly.*

Webpage Content You are responsible for the content of your webpages, which means ensuring:

   

nothing is libelous or could be construed so.* material does not infringe copyright.* links don't damage the interests of sites linked to (deep-linking may).* pages don't fall foul of search engine and directory requirements.*

America is a litigious society. Play safe, and even consider cloaking techniques to prevent information being extracted from pages and made the basis of frivolous lawsuits. (But only use cloaking if you know what you're doing: search engines will drop a site if they suspect the device is being used improperly.) Customer Data You are always responsible for customer information: an onerous task if it includes credit card and/or bank details. Use secure webforms that automatically transfer and store customer information safely on a third-party secure site.* Encrypt it.* Keep it off Internet-connected machines.* Make several copies and store safely off-site.* Seventy percent of companies that lose their customer data go out of business within the year. Legal Matters Your company is bound by the laws and regulations of the state or country in which you are incorporated. Check that you understand the basics, and have experts to consult if and when needed. Be especially careful of material that could offend the authorities or religious groups abroad, be considered inflammatory, or supportive of outlawed or terrorist groups — i.e. keep your social and political aspirations for another site and another name. Tax You'll have to pay tax somewhere on earnings, and matters have become further complicated by the global nature of ecommerce. VAT is a nightmare, particularly in Europe. Your accountant will advise, but always keep proper records,* and visit the sites we list for local information.*


				
DOCUMENT INFO