- Email: [email protected]
Impostors, eavesdroppers and vandals
This month we look at a site “close to home”. How many of those users having access to Netscape have delved into the security part of the online help? If you haven’t, ix is certainly worth a look. It even gave me a new TLA, i.e. SSL, within the first few lines! And all this on top of the excitement of that ongoing timebomb Y2K, possibly the first TLNA (or three letter and number acronym). I’m revelling in all the pictures provided by my newly installed graphical interface, but for those still using a non-graphical approach it may be helpful to give the alternative route in: http://home.netscape.com then follow Netscape index/technical documentation/reference material/Netscape Data Security, and browse to your heart’s content! SSL stands for Secure Sockets Layer protocol and has been developed by Netscape Communications to “ensure private and authenticated communications” and is “an open platform put into the public domain for the Internet community”. Why are we interested? Well, have you ever given out your credit card number on the ‘phone and felt a little unsure about it? Just imagine that number passing through any number of computers throughout the world, any one ofwhieh could be a comfortable resting place for it - especially as credit cards are internationally useable. The documentation goes on to claim, (and i am not suggesting that it does or does not meet those claims), if the saidcredit card number is e%ttered on a “secure Netscape Navigator form and transmitted over the Internet to a secure Netscape Commerce Server”, then there is no risk of interception of any useable data by an intermediary It IS claimed that commercial transactions “are protected from misappropriation and fraud that could otherwise occur as information passes through Internet computers. The inevitable word of warning soon appears, however - “Secure communications does not eliminate all of an Internet user’s concerns”, (nor do they check grammar!). The key point here is that this security specifically deals only with the Internet cotnmunfcation routes, a user has to trust the server administrator before the transactlun $s even commenced. Netscape’s sect&y l
is based on three b&c principle%
server authentication - &warting impostors
0 privacy using encryption - thwarting eavesdroppers l
data integrity - thwarting vandals
The danger period to your Tnformation is the time when it is travelling between you and a trusted server, so security is needed to stop any intercept&n beingablc to “deceive you, eavesdrop on you, copy from you, or damage your communications”. For the technically minded SSL is layered above the
Computer Audit Update l June 1996 0 1996, Elsevier Science Ltd.
connection protocol TCP/IP and below application protocols such as HTTP, Telnet, FTP, Gopher etc. With SSL implemented on both client and server, you can be assured that any information you send will “arrive privately and unaltered to the server you specify, and no other”. The authentication and encryption is based on a 40-bit key size developed by RSA; in use it remains valid over multiple connections but the efforts to break the encryption of one message cannot be used towards defeating the encryption of another. Although only “medium-grade”, such an encrypted message would take 64 mips/years to break. You can tell whether a document comes from a secure server by examining the URL (location) field. It is secure if the URL begins with < https:// > and not if it begins with < http:// > Also a news URL that starts with < snews: > shows that a document comes from a secure news server, Secure documents specify the type of encryption in use plus details of the certificate backing the document. ( In SSL, server authentication is delivered “using signed digital certificates issued by trusted third parties - ‘ITPs - known as certificate authorities. Cryptographic checks, using digital signatures, ensure that information within a certificate can be trusted.” One is tempted to ask how the cryptographic checks’ integrity is assured, but you could go on and on...). Netscape go on to explain how to get a digitally signed certificate to enable the use of security features, the process being explained in the Netscape Commerce Server manual. Incidentally, it is reassuring to know that “the security aspects of SSL protect you from insecure transmissions, but do not limit your ability to receive insecure transmissions”.
!NET FLAsu;r
SINK OR SWIM? - DATA PROTECTION REGISTRAR GOES SUNG TheUK’s Data Protection Registrar has just announced the launch of a new “radical” home
page on the Internet. Most of the information currently produced by the Office will be available online. Features of interest include: summary of the Data Protection Act; tailored guidance to various industry sectors; registration information; news; European section; full annual reporrt; lii
to the full Data Protection Act 1984.
URL is http://www.open.gov.uk/dpr/dprhome.htm
Computer
Audit Update m$+1996, Elsevier
June 1996 Science Ltd.
l
is based on three b&c principle%
server authentication - &warting impostors
0 privacy using encryption - thwarting eavesdroppers l
data integrity - thwarting vandals
The danger period to your Tnformation is the time when it is travelling between you and a trusted server, so security is needed to stop any intercept&n beingablc to “deceive you, eavesdrop on you, copy from you, or damage your communications”. For the technically minded SSL is layered above the
Computer Audit Update l June 1996 0 1996, Elsevier Science Ltd.
connection protocol TCP/IP and below application protocols such as HTTP, Telnet, FTP, Gopher etc. With SSL implemented on both client and server, you can be assured that any information you send will “arrive privately and unaltered to the server you specify, and no other”. The authentication and encryption is based on a 40-bit key size developed by RSA; in use it remains valid over multiple connections but the efforts to break the encryption of one message cannot be used towards defeating the encryption of another. Although only “medium-grade”, such an encrypted message would take 64 mips/years to break. You can tell whether a document comes from a secure server by examining the URL (location) field. It is secure if the URL begins with < https:// > and not if it begins with < http:// > Also a news URL that starts with < snews: > shows that a document comes from a secure news server, Secure documents specify the type of encryption in use plus details of the certificate backing the document. ( In SSL, server authentication is delivered “using signed digital certificates issued by trusted third parties - ‘ITPs - known as certificate authorities. Cryptographic checks, using digital signatures, ensure that information within a certificate can be trusted.” One is tempted to ask how the cryptographic checks’ integrity is assured, but you could go on and on...). Netscape go on to explain how to get a digitally signed certificate to enable the use of security features, the process being explained in the Netscape Commerce Server manual. Incidentally, it is reassuring to know that “the security aspects of SSL protect you from insecure transmissions, but do not limit your ability to receive insecure transmissions”.
!NET FLAsu;r
SINK OR SWIM? - DATA PROTECTION REGISTRAR GOES SUNG TheUK’s Data Protection Registrar has just announced the launch of a new “radical” home
page on the Internet. Most of the information currently produced by the Office will be available online. Features of interest include: summary of the Data Protection Act; tailored guidance to various industry sectors; registration information; news; European section; full annual reporrt; lii
to the full Data Protection Act 1984.
URL is http://www.open.gov.uk/dpr/dprhome.htm
Computer
Audit Update m$+1996, Elsevier
June 1996 Science Ltd.
l