|
The internet is the embodiment of globalization - its growth fueled by the widespread global adoption of faster, always-on broadband ADSL and wireless service, the global expansion of multinationals and their mobilized army of workers who trade information anywhere and anytime. With the internet's growth comes a new opportunity for many small and large businesses that are now able to trade from a location in one corner of the globe, with anyone who is able to access their website and make credit card payments. Internet and electronic trading knows no time and has no borders. But, as many companies ready themselves for the onslaught of new customers coming from the four corners of the globe, security experts are expressing caution. In fact, many US businesses are also expressing caution and concern. In a recent survey conducted by IBM (1) as many as 75% of the participating companies expressed concern for the growing cybercrime threat that will come from many unprotected computers in the developing world. Outdated software and unprotected systems are a real threat as the adoption rate of broadband services stabilizes in the US and declines in Asia, while the Middle East and Africa are showing the highest new connection rates in the world for these services.
While many companies are rushing to capitalize on rapid global growth of broadband connection, companies must heed the warnings of many experts who are calling for proactive security that serves to not only protect the vendor, but also "thinks" for the user helping them to attain the best possible security. Proactive security will not only create a more secure digital environment for everyone, but it will also help to build trust amongst the many new users of the internet. Trust will build confidence and confidence is good for business.
In the 1990s, the US government imposed restrictions on exporting strong cryptography to other countries. The restriction meant that software that implement SSL, such as web browsers, operating systems and web servers had to limit encryption to weak algorithms and shorter key lengths if it was exported outside the United States. Lawmakers included an exception for financial transactions to ensure that customers worldwide could safely transact online using strong encryption. SGC was created as an extension to SSL for consumers with export versions of web browser software to use strong cryptography for financial transactions. US export laws were upheld by issuing SGC certificates only to eligible financial institutions, creating an enforcement point at the server without any impact to the client. The restrictions on export of strong encryption have since been relaxed, and now SGC certificates may be issued to any institution.
Restrictions on encryption are evident in older versions of Windows 2000 running Internet Explorer that are still in use. Consumers and e-commerce vendors, particularly those outside the United States, are still using weak encryption, despite the fact that safer, stronger alternatives are available. Although newer versions of Windows 2000 provide these features, millions still use old versions. Users who are still using certain older browser versions that only provide weak 40-bit or 56-bit encryption can gain full-strength 128-bit encryption when conducting business with SGC-enabled web sites. With SGC, browser and operating system versions - whether exports or domestic - that would otherwise connect with weak encryption are afforded much stronger security. Until older versions of browser and operating systems disappear completely, SGC certificates can protect this portion of the user population.
To understand how an SGC-enabled SSL session differs from other SSL sessions, we first need to explain how a normal SSL session works. A simplified SSL session looks like this:
1. the client/browser sends the server a list of supported ciphers
2. the server chooses a cipher and sends that cipher along with its certificate back to the client/browser
3. the client/browser verifies the server's certificate and extracts the server's public key
4. the client/browser encrypts a secret using the server's public key and sends it to the server
5. the server decrypts the secret using its private key.
At this point the client/browser and server both share the secret and can be confident that no one else knows it. The client/browser and server can now use this secret and the chosen cipher to have a secure conversation. This is a very simplified explanation of a SSL handshake.
With SGC basically what happens is when the client/browser receives the server's certificate (step 3), the client discovers that the server has a SGC-enabled SSL certificate the client/browser will perform a new handshake (once the current handshake is finished) using a complete list of all the ciphers being supported including the strong 128-bit encryption, thus upgrading the current session to strong cryptography.
|
