Home Our Mission FAQ Terms & Conditions Contact us
E-Storefront Features Products & Solutions Support Demo
 
 

"Internet Security"
An overview of how your personal information is kept safe on the internet.

Login

  • Logins involve User IDs and passwords designed to identify who is trying to access a website.
  • Please be diligent about keeping passwords secret.
  • Also - make passwords difficult to guess.
  • Most websites do not encrypt login information, so a cybercriminal with sniffing software could inspect packets going to the server and steal user passwords.

Encryption

  • Encryption technology encodes and decodes information transmitted over the Internet so that only the sender and intended recipient can read the information.
  • Encryption software uses formulas so complex that it would take years to decode messages.
  • The processing load to encrypt all data sent to a sever would make that server too slow for practical use.
  • Encryption is reserved, therefore, for the transmission of only sensitive data, such as credit card numbers.
Secure Sockets Layer (SSL)
  • SSL is used to encrypt data sent between the consumer’s computer and the merchant’s Web server by automatically setting up an encrypted “pipe” through which the browser and the server can communicate.
  • Netscape Navigator and Microsoft Internet Explorer are both SSL-compatible.

Secure Connections

  • A consumer using SSL applications can see if his or her connection is secure by checking for an icon shaped like a closed lock or a key at the bottom of the browser window.
  • In addition, the URL address will begin with “https” as opposed to “http”.

Merchants

  • Another issue concerns data, such as credit card numbers, stored by the merchant.
  • To protect such data, merchants usually store information in a secure database that cannot be accessed over the Internet.
  • In addition, such data are often left in encrypted form to protect the merchant from internal theft.

Keys

  • A third party who steals encrypted information is unable to decrypt it.
  • This is because additional software, called “keys” is used to ensure that only the creators and intended recipients of encrypted information can access it.
  • A set of two keys is required. One is called the public key, the other is called a private key.

Information Back and Forth

  • The public key encrypts the data, which is sent to a computer that has the corresponding private key for decryption.
  • Anyone who wants to receive encrypted data can use a set of these keys to accomplish the task.
  • For two parties to send encrypted information back and forth, each one has to have this set of two keys (one public and one private).

Public Key

  • Public key encryption is commonly used on e-commerce websites to ensure that sensitive data from customers (such as credit card numbers) are kept private when transmitted across the Internet.
  • The e-commerce Web servers will often contain the private key for decryption.

Private Key

  • When an e-commerce Web server is set up, it will have a private key and a public key installed.
  • These are often created and distributed by trusted third parties, such as VeriSign or RSA Security.

VeriSign Incorporated

  • VeriSign (NASDAQ: VRSN) delivers critical infrastructure services that make the Internet and telecommunications networks more intelligent, reliable, and secure. Every day, VeriSign helps thousands of businesses and millions of consumers connect, communicate, and transact with confidence.

RSA Security

  • With over 11,000 customers over the globe RSA Security (NASDAQ:RSAS) provides interoperable solutions for establishing online identities, access rights and privileges for people, applications and devices.
  • This includes authentication, as well as web access and management solutions. Authentication is a key word we’re going to get to next.

Digital Certificate

  • Once running, the Web server will automatically send a copy of the public key to the browser of any customer who logs on to a secure page on the website for the first time. This public key (also known as a digital certificate) is stored in the consumer’s browser and used for that session and all future sessions until the private key changes.
  • Some users update their digital certificate as more secure encryption methods become available.

Automatic Transmission

  • The transmission of keys from server to browser is automatic. The only involvement the user has in the process is in agreeing that he or she trusts the Web server. Once the user agrees to trust the website, an encrypted “tunnel” that allows secure transmission of data is established between the browser and server. This secure tunnel is known as the SSL (Secure Sockets Layer) and is created automatically when a user connects to a page that requires secure data transmission.

Digital Signature

  • Once an SSL session has begun, the user can confidently send encrypted information that only that server can decrypt. This occurs through a process called authentication. To prove their authenticity, Web servers can encrypt a document called a digital signature and sent it to a customer’s browser.
  • The consumer’s browser, with the public key, can decrypt the digital signature to see if it is legitimate.

Authentication

  • Because private keys are held only by the company that owns them, if the corresponding public key for that company (acquired from a third party, such as VeriSign) successfully decrypts the digital signature, the customer knows it has come from the company he or she expects.
  • Authentication is important because, otherwise, it would be possible for someone to make a copycat website and use it to illegally collect credit card numbers from unsuspecting customers.

Figure 2.7

  1. A digital certificate/public key is sent to the
    user’s computer.
  2. Back at the merchant’s server, the private key encrypts a digital signature.
  3. That encrypted signature is sent to the user’s computer.
  4. The digital certificate/public key on the user’s computer decrypts the signature.
  5. The user is then presented with the digital signature information.
  6. If the user accepts the signature, then the tunnel is created.

Secure Electronic Transaction (SET)

  • In order to process a payment on the Web, the credit card number must be authorized by the cardholder’s bank.
  • Secure Electronic Transaction (SET) is a protocol that facilitates the secure authentication of online credit card transactions, as well as other payment-processing issues, such as debit card transactions and credits back to credit cards.

External Attack

  • Consumers are not the only ones who need to be protected from unscrupulous interests on the Internet.
  • Companies need to protect themselves against a world wide base of cybercriminals who can damage their reputations and profitability with attacks ranging from viruses to credit card theft.

Screening Routers

  • Routers known as screening routers can do more than just identify the best path for a packet; they can screen packets as well.
  • They look at not only whether they can forward a packet, but also at whether they should forward it.
  • This determination is made based on rules that the network administrator sets according to the company’s security policy.

An example

  • For example, if users inside a company need Web access but not File Transfer Protocol (FTP) access, a screening router can be configured to prevent all FTP traffic from traveling between the Internet and the company’s internal network. This setup would prevent employees from accidentally downloading a virus via FTP. It also would also prevent employees from setting up an Internet-accessible FTP server on the PCs that could allow cybercriminals or hackers to see sensitive files.

Gateways or Proxy Servers

  • Proxy servers forward packages on behalf of PCs in a company’s internal network to the Internet.
  • When using a proxy, if a computer on the company’s network wants to request something from the Internet, instead of directly contacting the server it wants to access, it requests the information from the proxy server.
  • The proxy server then contacts the website and requests the information as if it were for itself.
  • After receiving the information, the proxy server forwards it to the appropriate computer in the internal network.

Benefits

  • The true identity of the computer requesting the information from a proxy server is hidden.
  • This has an important security benefit – it prevents the identities (in the form of IP addresses) of individual computers inside a company’s network from being published on the internet.

Faster

  • Many proxy servers support caching (temporary local storage) of recently requested information. This means that if several people in a company use the same website often, the proxy server will send a copy of the page from its local hard disk over the company’s local network instead of going onto the Internet and pulling the page down again.
  • This saves users time, because obtaining the document is faster over the local network; it also preserves Internet bandwidth.

One IP address

  • Because individual computers on the company’s local network are not directly accessing the Internet, they do not need to have globally unique IP addresses.
  • Only the proxy server needs to have such an address because (according to the other computers on the Internet) only it is making requests.
  • This makes it simpler to add new users to the internal network because addresses for computers on the local network need to be unique only to the local network, not worldwide.

Firewalls

  • Firewalls can be actual computers with specialized software running on them, or they can be specialized pieces of hardware (such as routers) that are designed to perform firewall functions quickly.
  • A firewall sits between the Internet and anything a company wants to protect (such as a Web server or the company’s internal network).
  • A firewall functions similarly to anti-virus software for PCs, except that instead of looking on a hard disk for malicious content, it looks at packets coming over a network connection.

Stateful Inspection

  • Firewalls perform what is known as stateful inspection.
  • This means that rather than just looking at source and destination information, or the type of service the packet is used for, the firewall actually looks closely inside the packet to determine whether it could be harmful.
  • If a packet looks dangerous, the firewall will prevent it from passing into the company’s network.

Figure 2.6

A digital certificate/public key and a private key are set-up on the merchant’s server through a third party.

  • A copy of the public key is sent to user’s PC. The user accepts this certificate to create an SSL “pipe” between the user’s PC and the server.
  • An encrypted “tunnel” is created.
  • The certificate is used to encrypt data.
  • Encrypted data are sent to the server via the Internet.
  • The private key on the server decrypts the data.
  • The merchant’s server then stores and processes the information.

Questions

  • Does the class have any questions for me ?

 

  
 
Home | Our Mission | FAQ | Sign Up | Products & Solutions | Features | Demo |
Referral Program | Terms of Use | Contact Us
 
 
Copyright © 2003 - 2005 TransactionPages.com. TransactionPages.com is designed and maintained by ELWC, inc. TransactionPages.com is an operational division of ELWC Solutions.