[LINK] OzIT: 'Making online shopping safer'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Sep 8 09:52:26 AEST 2009 

[Comments interspersed and at end]

Making online shopping safer
Karen Dearne
September 08, 2009
The Australian IT Section
http://www.australianit.news.com.au/story/0,24897,26039893-24169,00.html

INTERNET shoppers are being urged to look for a green cue that shows 
a website is legitimate, thanks to a breakthrough intended to give 
greater confidence in online payments.

VeriSign authentication services director Armando Dacal said a new 
industry agreement on website security standards and verification of 
transactions would make it easier for consumers to avoid fake sites 
set up by criminals.

In the past computer users have looked for the padlock icon and the 
web address to change from http:// to https:// on a transaction page 
(the s means the site is encrypted, so information entered is secure) 
but next-generation browsers will turn the whole address bar green.

The Extended Validation (EV) Secure Sockets Layer (SSL) standard has 
been developed by leading digital certification authorities, 
including VeriSign, and browser vendors such as Google, Mozilla, 
Apple and Microsoft, as a technical response to the rise in internet 
fraud.

"Five years ago, criminals used pretty basic techniques like the 
Nigerian email scam, where they asked for your bank account details 
and promised to send you millions in return," Mr Dacal said.

"But criminals are now creating phishing websites that ... are 
identical to the real site and it's virtually impossible for the 
average consumer to tell the difference."

A study based on VeriSign's Phish or No Phish website -- where people 
are challenged to pick the fake -- found that nine out of 10 were 
fooled.

[It would be interesting to know how the 1 out of 10 avoided being 
fooled.  A properly designed scam presumably has only two differences 
from 'the real thing':
-   a different domain-name (e.g. sydneyoperahouse.com cf. 
sydneyoperahouse.com.au)
-   a different bank account to send the funds to
To detect the first requires effort and technical knowledge.
The second is undetectable because it's hidden inside the server]


"In Australia, 86 per cent failed to tell the difference between a 
legitimate and a phishing website, in line with results from Britain 
and the US, although Europeans did better," Mr Dacal said.

[As far as I can see, these stats are about as relevant to the 
discussions as '9 out of 10 people prefer Omo''.]


"Scare tactics by fraudsters remain an effective form of phishing, 
and despite education efforts by banks and retailers warning 
customers not to share their personal information online, many still 
fall into this trap."

Because of the need for a technical solution, the CA/Browser Forum 
was formed to strengthen SSL authentication procedures and make it 
easier for users to recognise trustworthy websites.

The forum says all new internet browsers will display EV SSL websites 
in a way that allows visitors "to instantly ascertain that a given 
site is indeed secure".

Certification authorities have agreed to more rigorous standards for 
processing certificate requests, while a new vetting format will 
ensure uniformity.

"EV SSL will prove particularly useful for companies whose internet 
domains are at high risk of being targeted by phishing schemes, such 
as banking and auction sites, and popular retailers," the forum says.

"Internet users will be able to trust that particular websites are 
what they claim to be, rather than fraudulent mirror sites operated 
by criminals."

Mr Dacal said more than 1500 local businesses were using VeriSign's 
EV SSL offering, including Commonwealth Bank, National Australia Bank 
and Westpac, Virgin Blue, JetStar and online travel retailer Best 
Flights, among more than 13,000 customers globally.

"Now there is a consistent, simple visual cue that consumers should 
look for when shopping online," he said.


[I should look into the details, e.g. here:
http://www.cabforum.org/documents.html

[But my first impression is that this initiative is only a fractional 
improvement, and hence PKI as a means of providing assurance of the 
legitimacy or otherwise of web-sites will remain inadequate.

[I summarised the reasons why PKI has been a failure here:
http://www.rogerclarke.com/II/ECIS2001.html

[The key issues in this context are:
-   inadequate authentication processes applied to the companies
     when they apply for certificates (addressed by EV, but how well?)
-   inadequate warranties provided by the CA (not addressed?)
-   inadequate management of revocation and expiry of keys and certs
     (I'm unclear whether it's addressed)
-   inability to provide user interfaces that users can understand
     (as will emerge below, I suspect this hasn't been solved either)

[The EV initiative appears to do two things:

-   improves the (hitherto quite useless) authentication processes

     But that needs to be checked, because the improvements may be
     just superficial, or 'commitments' rather than 'requirements'

-   changes the visual display from a padlock or key to the colour green

     But the old padlock/key sign confirms only that channel encryption
     is in use, i.e. an eavesdropper can't see the content.  It doesn't
     assure you that you are talking with the site you think you are

     The colour green will presumably declare that (some specific?)
     level of authentication has been performed on the site-operator

[But what about the missing aspects?
-   does the EV initiative upgrade the warranties?
     (There seems to be no mention of it, so probably not)
-   does it require real-time checking of the currency of certificates
     and rapid processing of revocations?
     (I'd need to dig to find out)
-   what will be displayed when you go to a scammer's site?
     (As far as I can see, the danger signal is just the absence of green)
-   what will be displayed when the cert is unsatisfactory in some way?
     (Presumably the same old incomprehensible and ignored displays?)

[Here's an article from nearly 3 years ago:
http://arstechnica.com/business/news/2006/12/8496.ars

[So implementation has been delayed for 2-1/2 years ...


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list