Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

Slides:



Advertisements
Similar presentations
+1 (801) Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.
Advertisements

Chapter 14 – Authentication Applications
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Steps to Recover Private Encryption Keys
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Internet Phishing Not the kind of Fishing you are used to.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Phillip Hallam-Baker Extended Validation Presentation to ISTTF September 23, 2008 VeriSign/Extended Validation ISTTF Presentation 9/23/2008.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 4 Application Security Knowledge and Test Prep
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
High Assurance / Enhanced Validation Name of Presenter: Kevin Brown Date: August 5th Confidential.
Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.
Electronic PostMark (EPM) Project Overview May, 2003 Copyright Postal Technology Centre.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.
Web SecurityIdentity Verification Services Signing Services Enterprise Security © 2007 GeoTrust, Inc. All rights reserved. How SSL is Changing to Increase.
An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
SSL Certificates for Secure Websites Dan Roberts Kent Network Users Group Wednesday, 17 March 2004.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.
PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.
QuoVadis Group Overview for EUGridPMA. Snapshot Trust/Link certificate services for the global enterprise –Digital certificates including End User, Qualified,
QuoVadis Group EUGridPMA Update September Overview ► Founded in 1999 in Bermuda, with particular focus providing PKI managed services to multinational.
Maximize Your Hosting Business: Covering all your SSL requirements Tim Callan May 31, 2006 VeriSign / thawte Confidential.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.
The Secure Modern Desktop Keeping the Phish in the Sea.
Presentation By :- Krishna Sai Mulpuri
    Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.
Simple Authentication for the Web
Phishing, what you should know
How to Check if a site's connection is secure ?
Using SSL – Secure Socket Layer
Determine Applicability of Certificates by using standard CABF CP OIDs
Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop
WEQ-012 PKI Overview March 19, 2019
Presentation transcript:

Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

© Copyright Entrust, Inc Overview Browser security Site authentication The history of SSL Extended validation in the browser Extended validation certificates Not a silver bullet

© Copyright Entrust, Inc There’s a problem with the Web Gartner reports … From mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft –an increase of more than 50 percent from the estimated 9.9 million in 2003 The average loss of funds in a case of identity theft was $3,257 in 2006 –up from $1,408 in 2005 An average of 61 percent of funds were recovered, in 2006 –Down from 87 percent in 2005

© Copyright Entrust, Inc New Phishing Sites Morgan Keegan/UBS Jul 2006

© Copyright Entrust, Inc Web vulnerabilities Malicious code HTTP proxy caching Cross-site scripting Man-in-the-middle Site impersonation ISP eavesdropping DNS caching Local area eavesdropping

© Copyright Entrust, Inc First-party accreditation Self-signed SSL certificate –Trust dialog –Help-desk calls Security toolbar

© Copyright Entrust, Inc Browser toolbars

© Copyright Entrust, Inc Third-party accreditation SSL certificates

© Copyright Entrust, Inc The early years (mid 90s) Threats to the Web –Site defacement –ISP eavesdropping Netscape developed SSL Simple trust indicators –Look for the golden key or padlock to check that you are safe Computer-literate users URL that reflects the name of the organization Common issuing practices –VeriSign Class 3 Although … –There were no strict criteria for the use and management of roots in browsers

© Copyright Entrust, Inc Mid-life (2000 – 2001) ABA 1 developed PKI Assessment Guidelines Audit profession recognized a need for criteria AICPA 2 & CICA 3 Audit criteria “WebTrust for CAs” Similar standard in Europe : ETSI 4 TS Adopted by Microsoft as a requirement for including roots in Windows –Other browser suppliers followed Microsoft’s lead But … –There were serious omissions –Do not specify what identifying information has to be included in a certificate –Or how to validate that that information is correct –Users supposed review CPS 1 American Bar Association 2 American Institute of Certified Public Accountants 3Canadian Institute of Chartered Accountants 4 European Telecommunication Standards Institute

© Copyright Entrust, Inc The SSL certificate marketplace Rigour (= cost, delay, inconvenience) Price GoDaddy GeoTrust VeriSign Entrust Other CAs: Comodo, CyberTrust, DigiCert, Ipsca, Notaris, QuoVadis, Trustis, XRamp All certificates cause the lock to display Domain-validate certificates Organizationally-validated certificates

© Copyright Entrust, Inc Trust indicators Yellow address bar Golden padlock

© Copyright Entrust, Inc Evidence of a problem Domain-validated SSL certificates have been issued to phishing sites User confusion –Does the golden padlock mean I’m secure? –Does SSL provide authentication or just confidentiality?

© Copyright Entrust, Inc CA / Browser Forum (2005) Major CAs and browser suppliers got together Formed the CA / Browser Forum Objective – Improve trustworthiness of the Web Project to develop certificate issuance guidelines for new browser trust indicators Microsoft has adopted an interim draft of the CABForum guidelines as the criteria for inclusion in their root embedding program

© Copyright Entrust, Inc IE7 Phishing filter and EV SSL Phishing, Suspected phishing, HTTP, HTTPS, EV

© Copyright Entrust, Inc IE7 UI details Green address bar Golden padlock Assumed name, registered name and country alternating with the issuer’s name

© Copyright Entrust, Inc Opera 9

© Copyright Entrust, Inc The SSL Marketplace - after EV (two points of view) Very high thresholdModerate threshold Conventional SSL EV SSL

© Copyright Entrust, Inc EV certificate Identified by … –Particular certificate policy identifier Verified contents … –Registered name e.g. ACE Aviation Holdings Inc –Assumed name e.g. Air Canada –Domain name e.g. –Place of business address –Jurisdiction of incorporation –Registration number Note: The CA must also retain verified name and contact details for the applicant

© Copyright Entrust, Inc Verification requirements Legal existence –Government registry Operational existence –Trade accounts –Bank letter –Legal opinion –Accountant’s letter Physical existence –Trade accounts –Site visits Domain name –WHOIS –Practical demonstration

© Copyright Entrust, Inc Other requirements Revocation –Browsers will check for revocation by default, using OCSP, once “stapling” becomes widely available Identification and authentication of requestor/approver Verification of authority of requestor/approver Warranty by CA to subscribers, users and browser suppliers Errors and omissions insurance

© Copyright Entrust, Inc It’s no good if users don’t check! EV sites place this graphic on their publicity material, including the Web site The message isn’t ‘if you see green you are safe’ It just reminds the user to check the site identity in the location bar

© Copyright Entrust, Inc It’s not foolproof – picture-in-picture

© Copyright Entrust, Inc Conclusion Browser security has significant shortcomings EV SSL represents a dramatic improvement It isn’t foolproof User awareness remains a critical issue Initial marketplace reaction appears positive For more information:-