|
By Philip Hallam-Baker, Principal Scientist, VeriSign Phillip Hallam-Baker has contributed to the design of many Web security protocols including HTTP and HTTP Digest Authentication, XKMS, SAML, WS-Security and OATH. His current research focus is preventing Internet Crime. He holds degrees from Southampton University and Oxford University and has held research appointments at DESY, CERN and MIT. It is no longer difficult to persuade people that professional Internet crime is a serious problem. The days are long since past when the main concern of companies doing business on the Web was the risk of having their site vandalized. Today the concerns are how to stop criminals using stolen credit card numbers, how to stop extortion rackets, and how to convince customers that they are safe online when they truly are safe. There are many forms of Internet crime but none that is genuinely unique to the Internet. Al Capone made money of protection rackets long before Denial of Service extortion rackets appeared on the Internet. Criminals were stealing and using credit card numbers long before the term ‘phishing’ was known. The advance fee frauds we now know as the Nigerian letter were known as the ‘Spanish Prisoner’ during the Spanish civil war and have a much longer history going back to Medieval times. Accountability Accountability is the glue that holds social systems together. When the Internet was small, the accountability infrastructure was highly visible and effective: an Internet user who acted with malice risked losing access to the Internet altogether. As the Internet grew from thousands of users to a billion, the accountability infrastructure snapped. In order to stop Internet crime, we have to fix it. The most visible consequence of the need for improved accountability in the Internet infrastructure is spam: As originally conceived, any Internet user may pester any other Internet user with any volume of email they choose. There was no limit to the amount of email a person (or company) might send and no real consequences for doing so. Modern spam reduction tools such as SenderID/SPF and DKIM are designed to inject the necessary accountability into the email infrastructure. Senders accept responsibility for the email they send by authenticating it. Receivers (or rather their spam filters) know that senders who accept accountability for the email they send are much less likely to be spammers than those who do not. Changing the face of the Web When VeriSign introduced the first SSL Certificate in 1995, the objective was to provide a simple means for the certificate holder to demonstrate accountability by proving that they had presented verifiable proof that a legitimate business existed with the specified subject name and that the applicant was authorized to request the certificate on behalf of that business. Consumers who looked for the padlock icon and verified that the certificate was issued by VeriSign, had some assurance that the certificate subject could be held accountable in the same way that a brick-and-mortar business could be held accountable in civil or criminal court in the case of a dispute. VeriSign class 3 certificates provide the same level of trust today as they did then, but it is in practice somewhat difficult for the consumer to distinguish a certificate issued by VeriSign through a process designed to help ensure accountability of the certificate subject and a certificate issued according to practices that only require the domain name to be checked. Extended Validation (EV) remedies this situation in three ways. First issue of EV certificates requires audited compliance with the requirements of the CA/Browser forum. Second, IE 7, Firefox 3 and other browsers provide a new, considerably more visible indication that an EV certificate is being used. Third, and most importantly, the certificate issuer name is presented to the end user, thus allowing for the first time that certificate issuers can be held effectively accountable if they gain a reputation for negligently issuing EV certificates to criminals or for failing to revoke them promptly when they should. A Gradual Process When I first used the Web in 1992, it had a hundred users. Today the number of users is over a billion. Changing the Web today is a much harder challenge than in 1992. Changing the Web requires much more than an action by a single vendor or standards body. Deployment of security infrastructure poses a particular difficulty: Security is never the first priority; it is always subordinate to another objective. In order to achieve deployment of Internet security infrastructure we must take much more care to understand the dynamics of protocol deployment and design accordingly. This approach, design for deployment is a principle topic in my book, the dotCrime Manifesto: How to Stop Internet Crime (2008, Pearson Education), which covers the topic of Internet accountability in great detail. The Accountable Web Internet users demand, and have a right to demand that they know that the businesses that they might choose to do business with online are trustworthy, can be held accountable in case of a default and in the case of a business with an established reputation, that they are doing business with the party they expect. Businesses, likewise, have the right to be able to effectively and conveniently authenticate their customers when they return to their Web site to do business. OpenID in particular and the ‘Identity 2.0’ movement in general are working to bridge this gap. One of the most frequent complaints of Internet users today is the need to remember a different username and password for every Web site they might visit (For more information about OpenID, see “OpenID: Rx for Password Fatigue”). Strong authentication is not incompatible with pseudonymity. Let Web users continue to construct whatever Web identity they choose to, provided that everyone who relies on an identity knows what they are getting and that nobody can use an identity that belongs to someone else. A Comprehensive Approach The truth is fortunately rather different. While the criminals will continue to react as new security measures are deployed, they have much less ability to react to strategic security measures that make the Internet a less permissive environment for crime than they do to tactical measures where the immediate objective is simply to make one particular target less attractive. When the first generation of car burglar alarms appeared the devices were remarkably effective despite the fact that they were easily defeated by the professional criminal: stealing an unprotected car was easier and presented less risk of being caught. Owners buy burglar alarms to prevent their car being stolen, not to reduce the rate of vehicle theft. Burglar alarms became standard equipment on new cars as a result of insurers adjusting premiums according to vehicle theft rates and government pressure. Manufacturer fitted burglar alarms have to be better than first generation devices because they cannot rely on the crime displacement effect. This change has been credited with a real reduction in opportunist theft. Electronic crime can diminish even more rapidly than it grew when the right technological measures are deployed. For example, in the mid 1990s satellite television piracy was a major business in Europe and North America, estimated to have cost $6.5 billion at its peak in 2002. Due to a combination of law enforcement action and robust technical measures, piracy has virtually disappeared from these markets. In short, retaking the Internet from the criminals comes down to a simple calculus: authentication enables accountability, and accountability is the foundation for trust. For more information on the topic of accountability for the Internet, see Philip Hallam-Baker’s book entitled the dotCrime Manifesto: How to Stop Internet Crime (2008, Pearson Education) and his Blog, The Accountable Web |
Contact Us
Stay connected >> |
Worldwide Sites
