Security needs of SME e-commerce companies of their ISPs

Judy Rogers Supervisor: Jay Barnes Faculty of Informatics and Design Cape Peninsula University of Technology rogersj@cput.ac.za

Abstract
This paper examines the security needs of the e-commerce enterprises and security services provided by their internet service provider (ISP). The ISP acts as the trusted third party who provides the connectivity for the e-commerce to the Internet. The services provided by the ISP affects all online activity and therefore selecting the correct ISP forms part of an important business strategy. Based upon the findings of the literature review e-commerce security is a complicated project which is still a developmental obstacle.

Keywords. Certificate Authority (CA), Internet Service Provider (ISP), Trust, Digital Certificate, E-commerce

1.

Introduction

Streams of sensitive data are continuously transmitted over the web and it is important for this data to be protected at all costs. Internet security is recognised as the methods used by an organisation to protect its corporate network from intrusion and generally executives face a certain amount of conflict when potential profits outweigh security threats (Hawkins et al., 2000). One of the concerns consumers have is identity theft and they are wary of providing their personal information to untrusted sources (Verisign, 2010; Kesh, 2010). One would like to believe that being security-wise applies to most consumers but the ever rising fraud statistics tells another story. Part of the e-commerce business setup involves selecting an ISP, connecting to the internet, registering a domain and setting up a website. The business involves online business transactions between parties utilising the internet. In consideration of the bricks and mortar establishment of say a shopping complex such as the Victoria & Alfred Waterfront in Cape Town, the services of a security company are obtained and the company is carefully vetted by the business before they are allowed to provide their security services. Compare this to an online business and its security requirements, we find a different scenario and discover a complex interrelationship between several important components such as SLL, digital certificates, certificate authorities (CA) and internet service providers (ISP). Any weakness in a single component can jeopardise the entire security system for the website and expose a large number of customers to vulnerability (Boardman, 2004; Ahmad, 2008; Kshreti, 2010) One of the aspects this research article focuses on is the security interrelationship between the small and medium enterprise e-commerce (SMEEC) and the ISP. An ISP has significant influence on the feasibility and security of an e-commerce business and generally, there appears to be a security trade-off when selecting a single server that hosts multiple sites. The most vulnerable arrangement is the shared server where each enterprise have their own File Transfer Protocol (FTP) account to create backups of data on the same server (Satti, et al., 2000). A number of methods an enterprise may enable to secure their network are among others; firewalls, user authentication, data encryption, key management and digital certificates and three importantant

mechanisms need to secure the e-commerce system are the merchant, transport and client security (Hawkins et al., 2000; Boardman, 2004).

2.

Literature Review

2.1 Background to review

Figure 1: Online services

This review is a brief analysis of e-commerce security based on current research. The review must be regarded as a foundation or support to the topic. It investigates the relationship between the SMEEC and the ISP which includes important aspects such as online security and whether the security policies and practices of the ISP are checked and tested. E-commerce security encompasses several technologies and elements including storage and safekeeping of information and maintaining its knowledge-value, networks, data privacy, secure socket layer (SSL), authentication and emails. Security is the key factor that guarantees the model of trust on the success of ecommerce (Ma & Liu, 2010; Jie & Hong, 2010). There are several important areas of security to be considered such as SSL and ISP. A study conducted by the Secure Socket Layer (SSL) Observatory which is part of a foundation called Electronic Frontier Foundation (EFF) in San Francisco, found that browsers retained unused SSL certificates even after

3 of 19 Pages

certificate authorities (CAs) have ceased operations. Further problems where highlighted in a presentation provided by Eckersley & Burns (2010); a large number of SSL sites did not have valid certificates and a large number of organisations have been allowed to act as intermediate CAs without rigorous checks. It is important to understand the concepts of choosing the correct ISP in terms of security and liability. Considerations such as equipment location and ownership, right of access, connectivity and performance issues, ownership and control of data, service agreements, risks and indemnification (Lovell, n.d.).

2.2 E-commerce overview

E-commerce is defined as the use of computer networks to improve organisational performance, increase profitability, gain market share and improve customer services. It involves establishing a web page to support investor relations and involves the use of information technology to enhance communications and transactions with all of the organisations stakeholders. It also offers a new type of commodity such as digital products i.e. knowledgebased goods such as audio or video through digital processes. Taking these aspects into account, the enabling technologies are also used for noncommercial activities such as entertainment, communication, filing, paying taxes etc and what characterises e-commerce, is the pervasiveness of technology (Choi et.al., 1997; Watson et.al., 2007) There are several types of e-commerce; i.e. business-to-business (B2B), business-to-consumer (B2C) and consumer-to-consumer (C2C). The review for this topic will focus only on small and medium-sized (SME) B2C enterprises because this type of business is intensely focussed on the customer, only has one CA and may still be overcoming their security challenges. E-commerce SME capability is measured in the ability to sell or buy products and collect payments online. These types of organisations would be managed directly by their owners i.e. they own most of the shares, provide most of the finance and make most decisions (Al-Qirim, 2004). As illustrated in figure 1, a type of B2C model whereby a list of goods and services are made available to the general public over the internet. The web site is available 24 hours a day whereby consumers have the opportunity to browse

4 of 19 Pages

and purchase goods or services via a secure online payment system (Simon & Shaffer, 2001) Setting up an e-commerce business involves developing a website, finding and selecting an ISP, access to the internet, registering a domain name and consideration of legal issues. It also relies on a wide range of technologies such as the World Wide Web delivery system, networks, privacy of data, SSL, reliable payment gateway and email (Ma & Liu, 2010; Lovell, n.d.)

2.3 Internet vulnerabilities

Vulnerabilities were discovered in the PKI (Public Key Infrastructure) when a practical attack scenario was executed and a rogue CA was successfully created and trusted by all common browsers. The certificate allowed the impersonation of any website including banking and e-commerce sites. The attack took advantage of a weakness in the MD5 (Message-Digest Algorithm) cryptographic hash function known as MD5 collision. There are still many CAs who use the MD5 hash function and they are recommended to stop using MD5 altogether. (Stevens et al., 2009; Soghoian et al., 2010). A report issued by Eckersley (2011) mentioned a recent occurrence about a hacker who obtained a fraudulent certificate from an HTTPS/TLS CA posing a serious risk to internet security. It was found that UserTrust UTN-USERFirstHardware certificate owned by Comodo, one of the largest CAs on the web, issued these certificates. These certificates were found in extremely high-value domains including google and yahoo. To exacerbate the problem, revocation mechanisms were not in place and users, especially those who did not instantly upgrade their browsers, were vulnerable. Data obtained from the SSL Observatory datasets found that as of August 2010, 85,440 public HTTPS certificates were signed directly by UTN-USERFirstHardware and indirectly this certificate delegated authority to a further 50 CAs, collectively responsible for 120,000 domains. The revocation of these certificates would result in an extreme complication whereby at least 85,000 websites would have to rush to obtain new SSL certificates. The case of the 120,000 domains has been cited to be even worse as some of these domains are cross-certified by other root CAs. A huge catastrophe of a possibility of hundreds of thousands of secure websites having to shutdown if the decision was made to blacklist the CA

5 of 19 Pages

but fortunately this was averted as Comodo announced their master CA private keys in its Hardware Security Modules were not compromised (Skoudis, 2007; Eckersley, 2011; Eigeles, 2005; Paulson, 2010).

2.4 E-commerce security

Security is an area that is critical to the effective functioning of an electronic business (e-business). Security breaches may lead to service interruptions or the loss of sensitive business or customer information. As such, security must be given high priority in setting up an e-commerce website. Considered areas of security should include access attacks i.e. denial of service (DoS), the integrity and confidentiality of information must be maintained as this area is the traditional trade of the business. Damage to equipment and systems must also be prevented. The other critical aspect of security is certification and the PKI management which is further expanded in section 4 (Lovell, n.d.; Wang, et al., 2010). Review of the various literature articles places the responsibility of e-commerce security squarely on the e-business owner. As the majority of e-commerce organisations rely on ISPs to host their e-businesses, it is imperative that they check the ISPs security policies and other related issues which are further explained in section 5.

2.5 Public key infrastructure management

CAs act as the trusted third party, manage certificate requests and issue certificates to users. A digital certificate, considered to be tamper-proof, contains information to identify a user or device, such as the name, serial number, company, department, or IP address and acts as the entitys identity in everyday transactions. It also contains a copy of the users public key. The certificate is signed by a CA who is explicitly trusted by the receiver to validate identities and to create digital certificates. To validate the signature of the CA, the user must first know the CAs public key although the user must be assured that the owner of the public key is who he says he is. Any CA can issue a digital certificate vouching that the subscriber controls any domain name, accurate or not (Gritzalis, 2005; Roosa & Schultze, 2010; Rattan, et al., 2010).

6 of 19 Pages

Verisign defines an SSL certificate as a digital computer file or a small piece of code that has a number of functions, i.e. authentication and verification and data encryption. This certificate is most reliable when issued by a trusted CA who has to follow a strict protocol about who may or may not receive an SSL certificate. HTTPS (Hypertext Transfer Protocol Secure) relies on certificates in order to ensure that the website the user is talking to is actually the website they want to talk to and not some person in Bulgaria (Verisign, 2010; Eckersley & Burns, 2010).

2.6 Internet service provider considerations

An ISP connects the e-business to the internet and affects everything that is done online including the performance of the website which makes it crucial to select the correct ISP as part of the e-business strategy. The e-business owner needs to understand the range of services offered by the ISP in order to ask the correct questions. Aside from numerous e-business requirements such as uptime, redundancy (refers to the number of connections to the internet), the most important aspect is security related. The reliability of the hosting service include checking on back-up servers and procedures, staying apprised of current security threats, effective load balancing (illustrated in figure 2), contingency plans and specific security measures such as antivirus software and firewall software. Electronic businesses need to ensure the ISP servers are located within a secure environment. The ISP should also consistently update the latest antivirus software patches and provide a secure server for transactions. This includes ensuring the digital certificates are installed correctly. A correctly installed certificate with correct information will provide the e-business the assurance of the quality of the SSL connection thus ensuring a safe and secure website. The certificate provides details on the CA, expiry date, encryption strength, organisation details etc. (Choi et al. 1997; Simon & Shaffer, 2001; Satti et al., 2000; Rowe et al., 2011) Satti et al. (2000) further explains that ISPs have significant influence on the feasibility, security and cost competitiveness of an e-business but cautions that if e-business owners stores any valuable information on web servers housed at the ISPs data centre, close attention should be paid to the ISPs security policy. Server farms are extremely tempting for hackers and through determination will gain entry if there is a poorly configured firewall or outdated antivirus software.

7 of 19 Pages

The most vulnerable arrangement is when servers are shared by a numerous companies and each has their own File Transfer Protocol (FTP) account on the same server to update web contents or database.

Figure 2: Distributing processes (Simon & Shaffer, 2001)

3.

Background to research problem

As a consumer of online goods and services, the author has a particular interest in e-commerce security. Due to the continual rise of online fraud, the author has a valid security concern whether e-commerce websites and ISPs are sufficiently secure to keep senstive data safe such as credit card details and other personal information.

3.1 Research problem

E-commerce SMEs do not check whether the ISP hosting their secure websites are themselves secure.

3.2 Aim of study

The aim of this study is to explore: the level of understanding of computer security elements of SME ecommerce owners. whether the hosting companies security policies are checked and tested. whether ISPs conduct their business at an acceptable level of security.

8 of 19 Pages

3.3 Research question

The main question which was constructed after some deliberation which will be further expanded on later in this paper; Do organisations that use e-commerce as a strategic business tool check and validate their ISP to ensure the security of online transactions?

4.

Research methodology

This paper explores SMEEC knowledge and expertise of computer security and whether they check the security policies and plans of their ISPs. The research gathered for this paper draws on literature from peer reviewed articles and interviews from various respondents to present an overview of computer security knowledge and practices. A review of prior relevant literature is essential for the academic research project which creates a foundation for advancing knowledge, facilitates theory development, uncovers areas where research is needed and contribute to the work (Barlette, 2008 & Okoli et al., 2010).

4.1 Research techniques

Among the research options available such as survey techniques using qualitative methods, doing an interview study was chosen to obtain a better understanding of the subject matter as well as to obtain a richness of data. The technique used for the data collection was the convenience sampling method as the primary criteria for selecting cases was due to their easy reach, convenience or readily available. Despite the drawback of this sampling method not representing the public as a whole and as Neuman (2003) stated, this sampling type may be legitimate for a few exploratory preliminary studies and some qualitative research studies when the purpose is something other than creating a representative sample, the author attempted at producing a quasirepresentative sample through selecting unique sectors and to limit the size of

9 of 19 Pages

the companies. For example, all the companies interviewed consisted of 2 to 5 partners. The respondents undertook to willingly participate in an interview and regarding ethical considerations, a letter of consent was obtained and forwarded to the respondent. In some cases, respondents requested the interview questions for perusal before the interview commenced. All interviewees were assured that all information and/or data gathered would not be made available to anyone who was not directly involved in the study. Further, all data and/or information would be kept in a file that would be password protected and would be deleted at the end of the project. The author futher assured the respondent that all names of people and companies would be anonymous.

4.2 Data sources

Research was undertaken as follows: Numerous peer reviewed articles sourced from various databases such as Emerald and IEEE. A list of ISPs selected from the Internet Service Provider Association (ISPA) website. A list of e-commerce websites selected from online directories. Interviews of various particpants.

The dataset consists of 9 semi-structured interviews with SMEEC and small ISP practitioners. Even though data was drawn from various market sectors such as hotel, art design and electronics, the primary criteria for this research is not sector specific as it is the perception of the author that SMEECs are less likely than their larger counterparts to have checked the security of their ISPs and therefore the target audience was limited to SMEs in and the surrounding central business district of Cape Town. Questions extracted from the literature and considered to be most important, was constructed for the interviews.

10 of 19 Pages

TABLE 1: Interview sampling Respondent* Company type

1 2 3 4 5 6 7 8 9 E-commerce E-commerce E-commerce E-commerce E-commerce E-commerce E-commerce ISP ISP

Market sector
Hotel Financial services Art design Furniture Advertising Electronics Accomodation Booking Small company port speed 10Mbps Small company port speed 10Mbps

Area
Sea Point, Cape Town Milnerton CBD, Cape Town CBD, Cape Town Parklands Constantia Claremont Sea Point Durbanville

* Details of sources withheld for confidentiality purposes CBD: Central Business District

5.

Key findings

TABLE 2: Interview findings to research questions: SMEEC Q#

1

Category
In-house security

Question
1.1 Who is responsible for security in your company?

Response type
Majority response: the developer. One respondent took complete ownership. Antivirus and/or firewall and/or network protection. One respondent took full ownership. Most respondents were aware of the firewalls and passwords. Two people were well versed.

1.2 How are you protecting your computers?

1.3 Are you aware of the functions of the following security infrastructure: Firewall Password authentication Data encryption Secure socket layer (SSL) Secure e-mail (SMIME) Digital certificate Digital signature Secure electronic transactions (SET)

1.4 How serious would an information security breach be to your company

A breach would be serious for all respondents

11 of 19 Pages

2.

Policies and plans

2.1 Does your company have an Information Security Plan? 2.2 Does your company have a backup policy? 2.3 Does your company have a Disaster Recovery Plan (DRP)? 2.4 Does your company have an information security policy and if so, do you comply with it? 3.1 Have you had any security issues with your ISP? 3.2 What criteria did you use to choose your ISP? 3.3 What are the expectations for security from your ISP? 3.4 Does your ISP have an Information Security Plan? 3.5 Did you evaluate your ISPs security policy? 3.6 Does your ISP have a backup or DRP and did you inspect and test it? 3.7 Do you share a server with other clients?

The general response for this section all respondents except one did not have any security policies and plans in place. Some kept data backups off site

3.

ISP evaluation

The general response for this section most respondents except one did not have a criteria for choosing their ISP nor did they evaluate policies or security practices. They assumed the ISPs to have good security. None had any security issues with their ISPs. One respondent responded extremely positively in that he had very specific criteria for choosing his ISP i.e. selecting an overseas ISP, power supply, security and cost. He also tested his ISP systems.

TABLE 3: Interview findings to research questions: ISP Q#

1.

Category
E-commerce security

Question
1.1 What is the process if a prospective client wants an e-commerce website from a security prospective? 1.2 What is your security expectations from certificate authorities? 1.3 What pertinent information is checked in the digital certificate such as MD-5 and SSH? 1.4 How do you secure your server information in terms of networks, physical location, patch updates etc? 1.5 How is administrative access controlled to the server? 1.6 How is the server physically protected? 1.7 How is the server monitored?

Response type
Both respondents security measures were generally on par although judging by the responses, one respondents security measures appear to be a bit more stringent than the other.

12 of 19 Pages

2.

Policies and plans

2.1 Do you have a backup policy? 2.2 Provide some details of your DRP? 2.3 Do you have an information security plan?

The first respondent did not document any policies, they are verbal and client specific. The second respondent show a clear indication of stringent policy documentation and plans

6.

Discussion and conclusion

This study hypothesised that SME e-commerce practitioners do not check their ISPs securities and policies. The research approach was two pronged in that practitioners at each end of the scale were analysed in terms of their security policies and practices. Developing safety regulations and implementation of security techniques is the key factor that guarantees the formation of secure e-commerce systems. The growing proliferation of malware and current security measures taken by ISPs such as not controlling outbound traffic continuous to be a major concern (Parameswaran et al., 2007; Wang et al., 2010; Ma & Liu, 2010). Empirical research is therefore needed to discover what security practices are in place at SME e-commerce and their ISPs and what due diligence e-businesses undertake in terms of their ISP security policies and practices to protect their ecommerce websites. Findings for SMEECs indicate, even though the sampled data was one of convenience, there is a significant amount of people who had an unfavourable concept of internet security and related technologies, policies and evaluating their ISPs in terms of the literature review. General responses that emerged during the interviews; respondents did not take ownership of their own security and generally left matters in the hands of the developer. The criteria for choosing an ISP was limited to recommendation, service delivery with cost being a low priority. The security aspect did not appear to be a primary concern for most respondents. Despite these aspects, all respondents were adamant that a security breach would harm their business when this question was posed.

13 of 19 Pages

However, on a more positive note, the author was gratified to discover one particular e-commerce practitioner was extremely conscientious about securing his business and pedantic about checking his ISP. His responses to all questions were strongly favourable in that he had good knowledge of computer security, related technologies, implementing policies and excellent evaluation of his ISP which including checking and testing their policies. In response to the question regarding criteria used to choose an ISP, one was chosen from the USA. His criteria included power supply, cost, security framework and infrastructure. Findings for ISPs indicate security measures were generally on par, but only one ISP actually documented and continuously updated their policies. They also appeared to have a stronger security infrastructure. In conclusion, the author discovered a significant amount of people are not taking full responsibility and ownership for their security practices and policies and did not think of evaluating their ISPs security practices and policies. Given all these findings it is quite clear that SMEECs are not thinking through the security requirements and policies which generally indicates a lack of awareness of data security and policies.

7.

Limitations and future work

limitations must be considered when interpreting the findings.

Some

Convenience sampling is not truly representative to the population as this method was selected due to time constraints and easy reach of target audience. The author attempted at producing a quasi-representative sample through selecting unique market sectors and small companies. There are still a number of areas that needs to be addressed addressed such as analysing the ISPs security policies in greater detail. For a future study, the net of the target audience needs to be widened and possibly use probability sampling as a research technique. A future study would also include drawing some guidelines as to how to select an e-commerce host.

14 of 19 Pages

8.

References

Ahmad, W. (2008). Is Credit Card Fraud a Real Crime? Does it Really Cripple the E-Commerce Sector of E-Business?," ICMECG, 364:370. Available from Emerald database: http://... (Accessed 9 October 2011). Al-Qirim, N. (2004). Electronic Commerce in small to medium-sized enterprises: Frameworks, issues and implications. Idea Group Publishing. Available from: www.kalahari.com [Accessed 1 September 2011]. Barlette, Y. & Fomin, V.V. (2008). Exploring the Suitability of IS Security Management Standards for SMEs. HICCS, pp.308. Available from IEEE database: http://... [Accessed 4 October 2011]. Boardman, K (2004). A critical analysis of electronic commerce security measures. Available from http://www.cs.ru.ac.za/research/g01b0633/ Documents/FinalPaper.pdf com [Accessed 1 June 2011]. Choi, S., Whinston, A. & Stahl, D. (1997). Economics of Electronic Commerce. Macmillan Computer Publishing. Available from: www.amazon.com [Accessed 1 September 2011]. Eckersley, P. & Burns, J. (2010). An Observatory for the SSLiverse Quick overview. In Presentation. Available at: https://www.eff.org/ [Accessed 9 March 2011]. Eckersley, P. Electronic F.F. (2011). Iranian hackers obtain fraudulent HTTPS certificates : How close to a Web security meltdown did we get ? Available at: https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https [Accessed 9 March 2011]. Eigeles, D. (2005). Intelligent authentication, authorization, and administration (I3A). Information Management & Computer Security, 13(5), pp.419-434. Available from Emerald database: http:// . [Accessed 17 May 2011].

15 of 19 Pages

Gritzalis, S. (2005). A good-practice guidance on the use of PKI services in the public sector of the European Union member states. Information Management & Computer Security, 13:379-398. Available from Emerald database: http:// . [Accessed 17 May 2011]. Hawkins, S.; Yen, D.C. & Chou, D.C. (2000). Awareness and challenges of Internet security. Information Management & Computer Security, 8:131-143. Available from Emerald database: http://... [Accessed 22 September 2011]. Jie, Z. & Hong, X. (2010). E-Commerce Security Policy Analysis. ICECE, 27642766. Available from IEEE database: http://... [Accessed 4 September 2011]. Kesh, S. (2002). A framework for analysing e-commerce security. Information Management & Computer Security, 10:149-158. Available from Emerald database: http://... (Accessed 17 May 2011). Kshreti, N. (2010). The Economics of Click Fraud, IEEE Security and Privacy. 8:45-53. Available from Emerald database: http://...[Accessed 9 October 2011]. Lovell, M. (n.d.). E-Commerce: An Introduction, Part 1: Set Up. Available from: http://cyber.law.harvard.edu/olds/ecommerce/setuptext.html September 2011]. Ma, X. & Liu, Y. (2010). Electronic Commerce Technology and its Security Problems. IITSI, 631-634. Available from IEEE database: http://... [Accessed 9 September 2011]. Neuman. L.W. (2003). Social Research Methods: Qualitative and Quantitative Approaches. Pearson Education. Okoli, C. & Schabram, K. (2010). A Guide to Conducting a Systematic Literature Review of Information Systems Research. Available at: http://sprouts.aisnet.org/10-26 [Accessed 9 October 2011]. Paulson, L.D. (2010). How safe are secure websites. Computer Magazine, p17. Available at: http://delivery.qmags.com/d/?cid=1770959&sessionID= [Accessed 4

16 of 19 Pages

9BEE0456BEDB38689DAF4B783&cid=1770959&editionID=16436&platform=A& [Accessed 17 May 2011]. Parameswaran, M., Zhao, X. & Fang, F. (2007). Reengineering the internet for better security. Computer, 40:40-44. Available from IEEE database: http://... [Accessed 3 October 2011]. Rattan, M.V.; Sinha, M.; Bali, V. & Rathore, S. (2010). E-Commerce Security using PKI approach. International Journal, 2:1439-1444. Available at: http://www.enggjournals.com/ ijcse/doc/IJCSE10-02-05-14.pdf [Accessed 13 June 2011]. Roosa, B.S.B. & Schultze, S. (2010). The Certificate Authority Trust Model for SSL : A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire. Intellectual Property, 22:11. Available from Ebscohost database: http://... [Accessed 1 March 2011]. Satti, M.M., Garner, B.J. & Nagrail, M.H. (2000). Information security standards for e-business. Available from: http://www.macquarietelecom.com/whitepapers/ Info%20Security%20 Standards%20e-biz.pdf [Accessed 9 September 2011]. Simon, A.R. & Shaffer, S.L. (2001). Data Warehousing and Business Intelligence for e-Commerce. Morgan Kaufmann Publishers. Available from: http://amazon.com [Accessed 1 September 2011]. Skoudis, E. (2007). Can a certificate authority be trusted? Information Security Magazine, 2-3. Available at: http://searchsecurity.techtarget.com/ sid14_gci1253295_mem1,00.html? [Accessed 1 expert/KnowledgebaseAnswer/0,289625, March 2011]. Soghoian, C. & Stamm, S. (2010). Certified lies: Detecting and defeating government 2011]. interception attacks against SSL. Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1591033 [Accessed 14 June

ShortReg=1&mboxConv=searchSecurity_RegActivate_Submit&

17 of 19 Pages

Steven, B.R. & Schultze, S. (2010). The "Certificate Authority" Trust Model for SSL: A Defective Foundation for Encrypted WebTraffic and a Legal Quagmire. Available from Emerald database: http://... (Accessed 1 February 2011). Stevens, M.; Sotirov, M., Appelbaum, J.; Lenstra, A.; Molnar, D., Osvik, DA. & de Weger, B. (2009). Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. Available at: http://eprint.iacr.org/2009/111.pdf [Accessed 13 June 2011]. Verisign (2010). Beginners guide to SSL certificates. Identity, 1-6. Available at: http://www.verisign.com/ssl/ssl-information-center/ssl-resources/guide-sslbeginner.pdf [Accessed 21 May 2011]. Verisign (2010). Security and Trust - the backbone of doing business over the internet. Available from https://www.verisign.com/static/044242.pdf (Accessed 18 March 2011). Wang, L., Zou, C. & Zang, S. (2010). A Study on the Commerce Security Characteristics for Electronic Business. ICEE, 245-248 Available from: IEEE database: http://... [Accessed 9 September 2011]. Watson, R.T., Berthon, P., Pitt, L.F. & Zinkhan, G.M. (2007). Electronic commerce, the strategic perspective. Creative Commons Attribution 3.0 License. Available at: http://globaltext.terry.uga.edu/userfiles/pdf/electronic%20 commerce.pdf [Accessed 4 September 2011]. Wazan, A.S.; Laborde, R.; Barrere, F & Benzekri, A. (2008).Validating X.509 Certificates Based on Their Quality. ICYCS. 2055-2060 Available from IEEE database: http [Accessed May 25, 2011].

Willis, N. (2010). EFF analyzes SSL certificates and certificate authorities. Available at: https://lwn.net/Articles/399585/ [Accessed 25 May 2011]. *Interviewee names withheld for reasons of confidentiality.

18 of 19 Pages

9.

Definition of Terms

Certificate Authority (CA) an entity that issues digital certificates Digital certificates a form of electronic credentials for the internet EFF international non-profit digital rights advocacy and legal organisation based in the United States Hash function any well-defined procedure that converts a large amount of data into a small datum HTTPS Hypertext Transfer Protocol Secure IE Internet Explorer IP Internet Protocol Localhost a server application running on the users computer MD5 Message-Digest Algorithm Mozilla browser web browser such as internet explorer OID extension object identifier PKI Public Key Infrastructure Revocation an act of recall or annulment RFC1918 a private network that uses private IP address space following the standard set by RFC1918 Rogue certificate a false digital certificate used to secure websites Root certificate either an unsigned public key certificate or self-signed certificate SLL Secure Socket Layer SSH Secure Shell is a network protocol for secure data communications TLS Transport Layer Security USA United States of America Web abbreviated for World Wide Web Windows 7 the latest release of Microsoft Windows X.509 a standard for public key infrastructure

19 of 19 Pages