Endpoint
1/27/2012
02:10 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future of Web Authentication

Many security experts believe the Internet's trust model is broken. Figuring out how to fix it will take time and collaboration

Web authentication protocols took a pounding last year. Problems with the Secure Sockets Layer and Transport Layer Security protocols, which encrypt all sorts of communication among websites, were at the center of several security breaches. Hacks of high-profile certificate authority providers undermined the security of some of the Internet's biggest brands, including Google and Yahoo; new man-in-the-middle attacks hit the Web; and the powerful Beast vulnerability exposed the most commonly used versions of SSL and TLS.

Taken as a whole, it appears the Internet's trust model is broken. However, many security experts aren't ready to scrap SSL. Rather than starting over, they recommend fixing the existing system. It's clear that we need to evolve the way we authenticate on the Web; the question is, how?

"Anything that requires us to migrate the entire Internet to a different protocol isn't going to happen," says Moxie Marlinspike, a noted SSL researcher and co-founder of Whisper Systems, a mobile security software developer that Twitter acquired in November. "Right now, particularly in this space, ideas are easy, but it's getting it done that's the hard part."

How We Got Here

Netscape created SSL in the 1990s as a way to encrypt sensitive information transmitted as part of online transactions--from login credentials to financial transactions. TLS 1.0 came out in 1999 (nearly identical to the then-current SSL version), and new versions have followed. While TLS is the most advanced protocol for authenticating online transactions, common parlance often refers to it as SSL.

Web authentication rests on the integrity of the certificate authorities. CAs check the identities of websites and issue public key infrastructure certificates, which are then used to verify websites' authenticity and enable the transmission of encrypted information between Web browsers and SSL servers.

When a person wants to view or interact with an HTTPS site--a secure site that uses the SSL protocol--the Web browser requests that the Web server identify itself. The server provides a copy of its SSL certificate, and the browser decides if it trusts the certificate and the site before agreeing to exchange encrypted data (see diagram, below).

The weak links in the SSL scheme are that there's no overarching system or authority to rate, rank, or approve CAs, and there are no standards for how certificates are issued. It's up to the browser vendor to decide whether to trust a specific CA, and those vendors haven't been careful enough with those decisions.

HowSSL certificates enable encryption

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
1/31/2012 | 12:04:36 PM
re: The Future of Web Authentication
Strong Authentication: Entrust IdentityGuardSingle Sign On (SSO): Entrust GetAccessEncryption & Authentication for Internet Applications: Entrust TruePassWeb Site Authentication: Entrust Advantage SSL Certificates and Entrust Extended Validation SSL Certificates.COMODO SSL certificates E-commerce merchants are going beyond the gold padlock to go green with
Extended Validation SSL certificates, the e-commerce standard for trust
and security. The green browser address bar, exclusive to EV SSL
certificates, assures website visitors that they are transacting on a
highly trusted and secured domain.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.