« January 2010 | Main | March 2010 »

February 23, 2010

Rethinking Internet Trust and Reputation

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

SEAL.JPGSetting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between consumers and websites as an engine for economic growth?


trust_blog_banner_1.JPGTrust brokering as a network service

From the late 13th century Italian Renaissance, to the early 21rst century global economy, trust has always been a fundamental tenet in the development of commerce and trade. In a world that is increasingly leveraging the web as a channel for customer acquisition, transaction and fulfillment, trust brokering is a critical yet missing network primitive. For enterprises to embrace SAAS applications, suppliers to join Internet marketplaces or consumers to select businesses on the web, the network needs trust brokering services that can certify and assert trust among parties with little prior knowledge of each other.


A pragmatic starting point for website trust
Web site trust is a multi-faceted problem. Authenticity, security, reliability, assurance, privacy and reputation are all important dimensions to ensuring trust. Therefore, setting the initial bar for Web trust is a significant challenge. Set the bar too low and the lack of substance in the attestation of trust make it irrelevant to consumers. Set the bar too high and the economic barrier to entry makes the standard irrelevant for websites. Unless a pragmatic balance is achieved, the end goal of a complete standard for trust can never be achieved. Trust Seal is VeriSign's initial step to providing an end to end solution to this challenge. We hope to have achieved such initial balance of pragmatic relevance to continuously raise the bar for trust on the Web in the years to come. So, on February 24th 2010, what does it mean for a website to be VeriSign trusted?


Splash.JPGAuthenticity with business authentication
First it means that we have verified that the web site is authentic. Basically, we verify that the website is really who they say they are. We call this process business authentication. We make sure that the business owner owns the domain name and that the business is a legitimate business. Because bad guys can easily hide between the façade of a professional web site, this is a very important step to establishing Web trust. By verifying the true identity of the website and the business behind it, accountability can be achieved. This is similar to what certificate authorities (the good ones) do when they validate an organization before issuing an SSL certificate for e-commerce. What we have done is extend a fundamental principle for trust in ecommerce to any Web domain, to any web site on the World Wide Web.


Malware.JPGSafety with malware detection in the cloud
The second check is to evaluate how safe it is for a consumer to visit the website. We contemplated many different approaches. However, the last two years have taught us that the most dangerous thing that can happen to consumers on the Web is to be infected with malware. For that reason, we decided to tackle this significant safety issue of web malware first. The new VeriSign trust seal is dependent on a successful drive-by download malware scan. Each website is scanned daily. The seal display is automatically turned off when malware is detected. Remediation instructions are provided to the website to remove identified exploits.



Trust Signaling for the Web
consumers, we are reducing the trust signal to its simpler expression. The seal displayed on the site web pages attests that the site is authentic and safe. This is where the VeriSign heritage comes into play. Millions of consumers are already familiar with the VeriSign Secured seal for SSL. We are maintaining the brand, but extending the scope and meaning of our trust mark. The VeriSign seal becomes a simple yet powerful visual cue for consumers to assess whether a website meets transparent criteria for authenticity and safety. Trust marks for ecommerce web sites are not new. However, we believe that any commercial website, transactional, non-transactional or social Web outlets of small and medium businesses could greatly benefit from trust marks moving forward.


Villa.JPGBeyond the web site: trust signaling in search and directories
In the long run, trust and reputation assessment should become part of the discovery process of online businesses. Popularity and page ranks are one dimension of search. How much a site can be trusted ("trust rank") is important measure as well. In fact, in the last years, safe search has emerged as an important feature for search engines and end-point security clients. Both have already integrated features to detect, signal and block drive-by malware infected websites. "White lists" of trusted sites should prove an important complement to black lists for search and navigation. Therefore, we have been working to integrate the new seal as a trust indicator in search and directory services (more on that in a future post).


SIS.JPG

As you can see, the VeriSign trust Trust seal encompasses many new features and the roadmap should keep the product and development teams busy for a while. We are thrilled to tackle one of the most critical and challenging Internet issue. So, give the new service a test run and let us know what you think.

Posted by Nico Popp at 11:57 AM | | Comments (0)

February 16, 2010

Google Hacked or Why the Cyber World Could Get M.A.D**


As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were essential to the exploit.


For security folks, this was a meaningful event. The level of sophistication of the attacker was unprecedented. The attack was carefully crafted. The breach was severe. For tomorrow's cyber historians, however, the breach may prove to be a tipping point. In fact, it may even change the way the world approaches cyber security and cyber warfare. So, what makes the Google hack such a game-changer? Could it be the magnitude of the attack, the significance of the targets or even the rumored origins of the perpetrators?. No, we must look somewhere else.


Start with Google. I have personally met members of the Google security team. There is no doubt that Google has a world class security team. So, if it happened to Google, it could have happened to any organization, be it private, governmental or foreign. This exposes a fundamental truth of cyber security: attackers always have the advantage. Indeed, there will always be next zero day vulnerability, the weak social engineering link or the unsuspected insider loop-hole. The Google hack simply makes the reality of cyber security more blatantly obvious and more public than any other attacks before. In cyber world, the old adage still prevails: "si vis pacem, para bellum".


This may leave governments and intelligence agencies worldwide with a difficult consideration. If the advantage lies on the attacker side, the only pragmatic cyber defense may well be cyber offense. Under this scenario, the most solid hope for protection becomes fear of retaliation. This is the old Mutually Assured Destruction (M.A.D) principle of the cold war. In tomorrow's world, the nuclear truth of yesterday takes a new meaning: do not take my smart power grid down as I will shut down yours within seconds. Do not collapse the transactional backbone of my financial institution or yours will instantly follow the same fate. Yes, if the Google teaches us something is that cyber security agencies around the globe may soon have to consider M.A.D strategies.


Disturbing thought, flawed interpretation, or irrational conclusion? I certainly hope so since the comparison with nuclear warfare does not bode well for the good cyber security guys. With nuclear threats, at least, the public opinion could find some illusion of comfort. The complexity of assembling nuclear weapons of mass destruction meant that only a handful of belligerent nations would be regarded as real threats. But here lies the second inconvenient truth of cyber warfare. When it comes to cyber terrorism, the barrier to entry is extremely low. In fact, it does not take much to build an effective cyber swat team. Training is cheap, fast and effective. Some say that it is already being done on the Internet. For sure, training material is available for free on the Web. The ultimate irony is that you can probably Google it.


**M.A.D: Mutually Assured Destruction

Posted by Nico Popp at 8:29 AM | | Comments (1)


ABOUT SSL CERTIFICATES

Search

Categories

Cloud Trust | Cloud computing | Cloud security | Data Portability | Digital Rights Management | Identity | Social networks | Media & Advertising | Mobile | OpenID | Security | Trust | authentication | micro financing | virtualization |

Archives

February 2012
January 2012
October 2011
July 2011
April 2011
September 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
November 2009
September 2009
August 2009
June 2009
March 2009
February 2009
January 2009
December 2008
November 2008
September 2008
August 2008
July 2008
May 2008
March 2008
February 2008
January 2008
December 2007
October 2007
September 2007
August 2007

Recent Posts

The Virtualization of Security and the Rise of Security as a Service
The Four Horsemen of Cloud Brokering
The Perimeter is Dead, Long Live the Cloud Firewall.
Why mobile and cloud security eventually converge
From Windows to the Cloud: "Nothing is created, nothing is destroyed, everything transforms."
Trusted Identities in Cyberspace
Identity Proofing - the Next Mobile Business Opportunity?
Cloud Identity, Trust and the Liability Elephant.
Greek Heroes, Facebook and Trust
PCI for the Cloud

Comments

We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate.
Powered by
Movable Type 4.21-en
Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy