Protecting Ecommerce Against The Man-In-The-Middle
By Rolf Oppliger, Ralf Hauser and
Published January 2007; Posted August 2007
Most ecommerce applications employ
the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols
[DR06] to authenticate the server to the client and to cryptographically protect
the communication channel between them. It is widely and wrongly believed that
these protocols are sufficient to protect Web-based ecommerce applications
against man-in-the-middle (MITM) attacks. In an MITM attack, a third party
typically “spoofs” or pretends to be the server, to fool the client. End users
can be taken in by well-designed emails (phishing) and websites that look
authentic (visual spoofing). Theft or forgery can result.
About the authors:
Rolf Oppliger, PhD, is the founder and owner of eSECURITY Technologies, a Swiss-based company that provides information security consulting, education, and engineering services. Ralf Hauser, PhD, is the founder and lead architect of PrivaSphere, a Swiss-based company that provides email and ecommerce security services. David Basin, PhD, is a full professor and has the chair for Information Security at the Department of Computer Science at ETH Zurich. He is also the director of the Zurich Information Security Center (ZISC).
This article is reproduced by special arrangement with our partner, Business Communications Review.
Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information. Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site. Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.