Security on the World Wide Web—Establishing Trust
The face-to-face and telephone-to-agent interactions that provide assurances to customers are absent on the Internet. People who shop in stores have a personal encounter with clerks. They assume the salesperson that takes their credit card is trustworthy because they see her. They know that person is authorized to take their money, debit card or credit card. People who shop on the Internet need to find a way to establish trust with the organizations with which they do business. Establishing security on the Internet will help increase its utilization for electronic commerce.
The security tools discussed next are installed in corporate servers, application service providers (ASPs), ISP servers, hosting companies and carriers that provide virtual private networks (VPNs). (See Chapter 5 for VPNs.) For corporations, the largest threat to computer security comes from internal employees. Acts of sabotage from disgruntled employees or employees that have been laid off cost businesses millions of dollars. Some companies purchase intrusion detection software before conducting lay-offs.
Public and Private Keys and Digital Certificates
Tools that are used for security on the Internet are used in private networks as well. These tools are public key encryption, private key encryption and digital certificates. Digital certificates verify that the vendor is who they say they are. Private and public key encryption ensure that only the intended recipient can read confidential information such as credit card numbers.
Encryption scrambles documents using mathematical algorithms so that only the intended recipient can decrypt and read the document. Public and private key encryption work together to create and read secure documents. Complementary mathematical algorithms called public and private keys are used to encode documents. A document scrambled by a private key can only be read by a recipient with the complementary public key. A public key can't read a document created by the same public key and a private key can't decipher a document created by the same private key. Thus, public with private key encryption is asymmetric. Different keys perform the encoding and the decoding.
When someone shops, for example, at Amazon.com, Amazon.com sends the shopper a unique public key that scrambles the user's credit card number and order. The Amazon.com site uses its complementary private key to decode the order. The advantage of asymmetric public key cryptography is that the public key can be given out freely without corrupting the security because only the owner of the key has the private key.
Digital certificates with digital signatures are used to authenticate vendors. Web sites contain digital certificates that verify they are who they claim to be. The digital certificate is provided by a trusted third party who has done a background check on the vendor. The digital signature verifies that people are who they claim to be by sending a digital summary of the data sent. The receiving end receives the digital signature and makes a mathematical summary of it. If the receiving end's summary exactly matches the sending end's summary, the identity of the sender is verified. Security software made by VeriSign, Inc. and installed on browsers reads the digital certificates that authenticate vendors. Browsers have a normally open padlock icon that shuts during a secure transaction. This is extremely important because the padlock indicates that the site uses encryption technology such as Secure Sockets Layer (SSL) that uses a 128-bit code for encryption. This means it uses a code-based 2128 encoding technique.
Firewalls and Tunneling
Security tools, known as firewalls, are installed in corporate and Internet service provider computers in front of corporate databases. Firewalls screen transmissions before allowing them to reach corporate computers. The firewall verifies the integrity of the data and the sender. The firewall may screen users by their email address. This is called address filtering.
Some companies install demilitarized zones (DMZs) between their firewall and the Internet. DMZs isolate internal traffic from external and Internet traffic. The DMZ takes a more detailed look at traffic than just the address. It also looks at the application itself in case it has a virus or has other characteristics that would harm the internal network.
Many firewalls contain proxy servers. A proxy server provides an extra level of security by not letting outside people connect directly to internal resources. When someone from the outside communicates with the company, he is routed to the proxy. The proxy server wraps new headers around messages from the outside and sends it to the internal device. The proxy acts as a relay service, preventing external users from directly connecting to internal resources such as databases and secure information.
Many organizations outsource their Internet applications to Internet service providers. When they do, they want assurance from the Internet providers that the outsourced applications are secure. Firewalls and proxy servers are installed extensively at Internet service providers as well as end-user sites.
Making the Internet a Trusted Place to Do Business
Virtually all 100,000 e-commerce sites use VeriSign, Inc.'s digital certificate and public key software when they ask for credit card information. The company feels that the widespread acceptance of public keys and digital certificates has helped make the Internet a safer place for e-commerce and business transactions. Businesses use the Internet to transmit a variety of confidential data. For example, Intel transmits designs for its chips; banks move money through the Internet; hospitals exchange patient records; and the automotive industry does business with its entire supply chain through the Internet. Credit card companies cover losses of credit cards over $50. Intel's potential damage if someone hacks into and steals its chip designs is much larger. An additional form of encryption security is tunneling. Tunneling encapsulates packets within other protocols for added security when traffic is carried on virtual private networks. Tunneling separates and keeps private transmissions from multiple customers. Tunneling allows new protocols to be packaged and transmitted within older protocols. They are “unwrapped” when they are received by remote firewalls at extranet and intranet sites.