Speaker: Amir Herzberg, Bar Ilan Univesity.
Title: Fixing the Web Trust Model
Abstract:
Fraud is increasing on the Web at alarming rates. We trace the problem
to difficulties with the current web trust model, and suggest
improvements in user interface and simple cryptographic protocols. One
difficulty is that only a minority of the web sites use SSL/TLS
protection, which is essential to provide security (against `Man In
The Middle` adversaries). In fact, even sensitive sites and login
forms are often not SSL protected. Even if a site is protected, it may
use a CA which is untrustworthy. We suggest UI improvements to fix
these problems, and ensure awareness of protection status and the use
of trustworthy identification (CA).
Another problem is that identification is currently based on the URL, and users are not cognizant of the structure of URLs and domain names, and do not notice a mismatch between the URL and the identity as claimed in the site. This problem exists for both SSL and non-SSL sites. We suggest the inclusion of a `site identification` field which will identify the site by logo or name, selected by the user (`petname`) or by a trusted authority (e.g. CA).
We also discuss some non-SSL solutions, to provide security in situations where SSL is not applicable (e.g. due to overhead). Finally, we explain how browsers can securely present credentials, ratings and `seals` of the sites, e.g. for security, privacy, quality, and other attributes of site and of particular page.
An open-source implementation of our ideas is available in http://TrustBar.MozDev.org.
Biography:
Prof. Amir Herzberg received B.Sc. (Computer Engineering),
M.Sc. (Electrical Engineering) and D.Sc. (Computer Science), from the
Technion, Israel, at 1982, 1987 and 1991, respectively. Since 1982, he
worked in software and systems R&D, mostly in security and networking,
in several organizations and companies. During 1991-2000,
Prof. Herzberg filled research and management positions in IBM
Research (New York and Israel). Later, he was a CTO at a startup, and
since 2002, an associate professor in the Computer Science department
of Bar Ilan University. His current research is mainly in applied
cryptography, secure communication and secure
e-commerce. Prof. Herzberg provides consulting and education services
to R&D companies and to the banking, communications and government
sectors. Many of his lectures and publications are at
http://AmirHerzberg.com.