NCJ Number
185005
Journal
White Paper Volume: 14 Issue: 5 Dated: September/October 2000 Pages: 30-35
Date Published
2000
Length
6 pages
Annotation
The current method of protecting Internet transactions -- Secure Sockets Layer (SSL) -- is inadequate; instead, Internet transactions must be protected by a "transaction security protocol."
Abstract
SSL encrypts, or scrambles, all information sent from an Internet browser to a Web site for a session or a period of time. This protocol is used on almost every e-commerce site. SSL only provides privacy and some limited, weak consumer and merchant authentication. This is no substitute for identity and transaction authentication, non-repudiation, and dispute resolution protection. There are a number of ways hackers can attack SSL. Without providing a complete how-to guide for criminals, this article describes an example of SSL's vulnerability; in this example, the criminal combines two well-known hacks with some knowledge on stock manipulation; he then is able to use other people's money to manipulate stocks and steal millions of dollars. Given the vulnerabilities of SSL protocol, online transactions soon must be protected with digital signatures delivered through smart cards, USB tokens, or other technologies. A digital signature has similar properties to a physical signature in that only the owner can legitimately sign it, and most people can verify it. A digital signature is impossible to forge and any modification is easily detected.