I often browse the various Internet malls and am keen to have a go at buying on the Internet. But I've heard so many stories about the insecure nature of the Internet and I'm concerned about passing my credit card details over the Net.
What are the risks?
Credit card firms discourage the use of credit cards over open networks like the Internet without secure transaction technology in place. They would rather you used a phone or wrote instead.
In practical terms, your exposure to risk is minimal. It's important to put things into perspective. Do you take security precautions in your every day credit card transactions? There are plenty of ways to get hold of someone's credit card number. Do you, for example, avoid placing credit card orders over the phone, or make a point of destroying the carbons from the slips you sign? If so, then you're probably right to be suspicious about making a credit card transaction over the Internet. But if, like most of us, you don't, then in practical terms the Internet poses no greater risk.
A bigger problem is not knowing precisely how much is going to be charged to your card. Don't forget, on the Internet Tesco is as far away as Macy's, but sadly this doesn't apply when it comes to postage.
Orders still have to be posted or sent by courier, and if you order goods from abroad, not only can the shipping charges be high, but you are seldom notified at the time of ordering what the overseas charges will be. There is also VAT and import duty to pay, plus a handling charge by the UK courier.
I once ordered a $25 laser disk from a company in California. A further $40 was added for shipping, while ParcelForce wanted the thick end of u16 from me. In short, goods with a face value of about #15.60 wound up costing me about #56.50.
But the fact is, the Internet is undeniably an insecure medium for conducting commerce, and that's why companies like MasterCard, Visa, Netscape and Microsoft have put so much effort into developing secure transaction technologies.
So what technologies are we talking about?
The basis of all Internet security is the Secure Sockets Layer (SSL) protocol. Version 2.0 was originally developed by Netscape, but version 3.0 was designed with input from the public and from industry.
SSL is an open platform put into the public domain, and Netscape Navigator and Netscape Commerce Server are the first products to support this non-proprietary technology. The SSL protocol delivers server authentication, data encryption and message integrity. SSL is layered beneath application protocols such as HTTP, Telnet, FTP, Gopher and NNTP, and layered above the connection protocol TCP/IP. This allows SSL to operate independently of Internet application protocols.
With SSL implemented on both the client and the server, your Internet communications are transmitted in encrypted form, ensuring privacy. Netscape's security comprises three elements: server authentication; privacy using encryption; and data integrity.
So does SSL let me safely transmit personal information like a credit card number over the Internet?
Yes, you can enter your credit card details on a secure (https) Netscape Navigator form and transmit the form over the Internet to a secure Netscape Commerce Server without the risk of a third party intercepting your information.
The information you send in this way can be trusted to arrive privately and unaltered to the server you specify (and no other). Be ware though that SSL merely offers protection to your credit card information while in transit - what happens to that information after receipt is another matter.
Which encryption techniques are employed in SSL? Is there any measure of their resistance to decryption?
SSL uses authentication and encryption technology developed by RSA Data Security. The US version of Navigator uses a 128-bit key size for the RC4 stream encryption algorithm. Export versions of Navigator use a weaker encryption technique using a 40-bit key. Even so, Netscape claims a message encrypted with 40-bit RC4 takes on average 64-MIPS (Million Instructions Per Second) years to break (a 64-MIPS computer needs a year of dedicated processor time to break the message's encryption).
What software supports SSL 2.0 and SSL 3.0?
The Webcompare site (webcompare.iworld.com/ compare/security.shtml) has a Web page which contains a comprehensive list of all the servers and clients that support SSL - currently over 100.
What happened to STT, Microsoft's alternative to SSL?
This was originally punted as a rival to SSL. The Secure Transaction Technology (STT) specification jointly developed by Microsoft and Visa, with some help from Spyglass, was designed to provide a secure method for handling credit card transactions across private and public networks.
Microsoft also promoted Private Communication Technology (PCT), which claims to offer advantages over SSL. It includes features such as privacy, authentication and mutual identification.
But SST has largely been overtaken by Visa and MasterCard's decision to hammer a joint secure technology, Secure Electronic Transactions (SET), co-developed by Microsoft, IBM, GTE, Netscape and others. SET is designed to handle secure payment with bank cards over the Internet using cryptography and digital certificates.
Who determines the security status of a secure commerce server?
Secure commerce servers deliver server authentication using signed digital certificates issued by trusted third parties known as certificate authorities (CAs). A digital certificate verifies the connection between a server's public key and the server's identification.
Certificate-based client authentication allows users to identify themselves to Web servers with digital certificates so that they can communicate securely or gain access to a particular area of a Web site.
Users request and receive digital certificates from a certificate authority. The user's browser presents the certificate to a Web server, which verifies the identity of the user. Cryptographic checks using digital signatures ensure that information within a certificate can be trusted.
The best known CA is VeriSign (digitalid.verisign.com), the default CA used by Netscape and Microsoft. But there are others:
EuroSign - The European Certification Authority (www.eurosign.com/)
COST Computer Security Technologies (www.cost.se/)
Thawte Consulting (www.thawte.com/certs/)
Nortel Entrust, Browser Certs
Nortel Entrust, Server Certs (www.nortel.com/entrust/
There are two types of certificates - personal and Web site. A personal certificate, or Digital ID, is used when you send personal information to a client authentication server that requires a certificate. For example, a personal certificate would contain information such as your user name and password and confirms who you are to the commerce server.
A Web site certificate is used when a secure Web site sends your browser a certificate that provides certain information about security for that Web site.
A certificate is issued to a particular organisation for a specific period of time. When you try to open that organisation's Web site, your browser will verify the Internet address stored in the certificate and will confirm that the current date precedes the expiration date.
For example, a Web site certificate would contain information verifying that the site is secure and is genuine. This ensures that no other Web site can assume the identity of the original secure site.
Who issues Digital IDs?
Digital IDs are issued by a CA, which can be any trusted central administration willing to vouch for the identities of those to whom it issues Digital IDs. You can visit the VeriSign site and apply for a free Class 1 Digital ID on the spot. The more secure Class 2 ID costs $12 a year and is restricted to US residents. Generating a Digital ID request is part of the initial installation for many applications that are Digital ID enabled.
What is the advantage of certificates over passwords?
Certificate-based authentication offers better security than password authentication which sends passwords over the Internet (which can be intercepted). Certificates contain only public information and no security is compromised if these are intercepted.
Further, certificate authentication is based on what you know (the password to locally log on to your machine) and what you have (the certificate), while password authentication is based only on what you know.
How can I tell when security is in effect?
Your browser identifies secure documents in several ways. First, the URL will change when you access a secure server. If the URL begins with (https://) instead of (http://), the document comes from a secure server.
Another indicator is in the bottom left-hand corner of the Navigator window and the colour bar across the top of the content area. The icon consists of a door key on a blue background to show secure documents and a broken door key on a grey background to show insecure documents.
The colour bar across the top of the content area is blue for secure and grey for insecure. Internet Explorer 3.0 uses a lock icon to signify a secure connection.
A mixed document containing secure and insecure information is displayed as secure with insecure information replaced by a mixed security icon. Some servers may let you access documents insecurely (using http://) letting you view mixed documents without icon substitution. Choosing the file/document information menu item gives you more security information.
Any questions? Ask Advisor by emailing ([email protected]). We regret Advisor cannot answer questions individually.
New regulation expected to cut greenhouse gas emissions by about 17 million metric tonnes between 2020 and 2050
Molybdenum ditelluride is a two-dimensional material that can be easily stacked into multiple layers to create a memory cell
New light-guiding nanoscale device can control and monitor a nanoparticle trapped in a laser beam with high sensitivity
Optical traps are scientific instruments in which a focused laser beam is used to exert an attractive or repulsive force on a microscopic object to hold it in place
Scientists estimate that the exoplanet has already lost up to 35 per cent of its mass over its lifetime