 Internet Explorer version 7 is expected to help users identify how secure a website is using a colour code system. This analysis feature will enhance the padlock symbol we have become familiar with. Similar features are also planned by the other major browsers. To define how secure a website is, the browsers will analyse a websites SSL certificate.
SSL certificates are issued by Certification Authorities (CA’s) and encrypt the data transmitted over a website. A transaction is not secure simply because it is encrypted, it is vitally important to know the business we are sending our secure information to be who they say they are. Identity is key to security.
The problem is how we can be sure of the identity of a company purchasing a certificate. There are currently discussions on what the standard level of the due diligence should be and who should carry it out. There is a lot of debate and a strong opinion that we have to trust the CA to complete the due diligence on the company they are selling a certificate to.
I do not believe that it should be the role of the CA’s to carry out this due diligence. Due diligence should be carried out by an independent third party that is experienced in these assessments. The third party should also be able to protect our credit/debit card details and have the authority to return any money obtained from us by deception/incompetence. CA’s cannot offer this level of protection or accountability and therefore are not the organisations to shoulder this responsibility.
Online Transaction Services (OTS) are available from our major high street banks. OTS work very simply. On a consumer website we complete our shopping and are then handed over to a major banks webpage. The handshake between the two sites is secure (using a certificate supplied by a CA) and passes information containing the merchants online account details and the value of the order. We then provide our credit/debit card details to the bank which processes the transaction and confirms the funds are available. Assuming all is correct the bank hands the client back to the consumer website and confirms the transaction has been approved. The result is I have placed my order online and the consumer website gets its money. As the consumer site has never seen my credit/debit card details these are protected. If the consumer website fails to deliver the goods then the bank is authorised to recover the funds.
I have been involved in integrating numerous OTS and I am impressed with the level of due diligence many of the banks use in the online merchant account application process. This is the only way to secure online transactions. We should legislate on standards for due diligence but the responsibility should be with our experienced financial institutions, not the CA’s. |
