Shop, Swipe and Smile. With SmartSwipe it is that easy.

Since its introduction in 1994, SSL (Secure Socket Layer) has been the de facto standard for internet transaction security. It is a low-cost, widely accepted technology that does not require elaborate customization. Furthermore, once data has been SSL encrypted it has proven to be virtually impossible to crack (Based on typical processing power of the average personal computer). For example, it would take approximately 1022 years on a corporate computer network (at a billion keys searched per second) to crack current commercially available SSL encryption algorithms (source - Web Security, Privacy, and Commerce, S. Garfinkel & G. Spafford, OʼReilly, 2002).

SSL was specifically designed to protect information in transit only at the point where information leaves a computer. Therefore, one of its inherent weaknesses is that it leaves information vulnerable and unprotected while it resides on the personal computer prior to encryption (Keyjacking: the surprising insecurity of client-side SSL, John Marchesini, S.W. Smith, Meiyuan Zhao, 2004).

Exploiting the Endpoint: The SSL Security Chasm

Given the tremendous effort required to break in to modern corporate networks, organized cybercriminals have shifted their focus away from highly protected corporate servers and focused instead on the weakest link in the online security chain – the end user's personal computer.
figure-1-dynamic-ssl-whitepaper

While corporations have invested millions of dollars securing their network infrastructure
against cyber attacks, the same cannot be said of the personal computer user. The typical computer user's failure to install and maintain even basic security measures such as antivirus software and security updates has made it increasingly easy for organized cybercriminals to steal their sensitive data for financial gain.

Cybercriminals have developed a number of sophisticated hacking tools to circumvent SSL encryption and steal sensitive information at the endpoint, including:
  • “Man in the Browser”: Exploiting lack of security at the browser level on the user's PC, information is stolen as it is being entered into a web form.
  • Keylogging: User keystrokes or mouse movements are captured and recorded.  These attacks can be hardware or software-based.
  • Memory Sniffing: Malicious software is secretly installed on a user's PC.  The software gains access to the computer's memory in order to steal sensitive information.
  • Spyware/Crimeware: This is malicious software that appears to be a benevolent program (such as a software update). These programs are able to monitor user actions and collect sensitive information, which is then sent to a third party.
  • Viruses: A virus can infect a program or operating system to steal data.
  • Keyjacking: A scary attack whereby malware or viruses on the local PC silently export the SSL session keys used to protect the transaction.

While SSL is essentially secure, the potential for security breaches at the personal computer endpoint undermines the entire SSL infrastructure on which many systems are built. This poses a grave problem to those who conduct business online – in particular those who are required to guarantee the security of an online transaction.

Traditional solutions to endpoint security rely on custom protocols or proprietary authentication architectures that are not interoperable with SSL. In many circumstances, particularly in anonymous or distributed environments (such as online commerce) where interoperability with SSL is a requirement, synchronization of client and server systems with a proprietary security protocol is simply not feasible.

Navigation:

Next - Dynamic SSL: A Practical Solution for Endpoint to Endpoint Encryption
Table of Contents
Previous - Executive Summary