It has become increasingly important to ensure the integrity and security of communications and transactions conducted on the Internet. Internet users are subject to a variety of attacks, including pranks, attempts to gather private information, and outright fraud.
One of the most commonly used Internet communication protocols, referred to as Hypertext Transfer Protocol or “HTTP,” is relatively insecure and therefore subject to a variety of attacks. So-called “phishing” attacks use “spoofed” emails and fraudulent websites to fool recipients into divulging personal data such as credit card numbers, account usernames and passwords, social security numbers, and other private information. For example, a phisher might design a website to look like the site of a legitimate bank, credit card company, or other business. Consumers are then lured to the website (whose domain name or Internet address is often very similar to that of the legitimate business) by an email that is also designed and configured to look like it comes from the legitimate institution. Once at the website, the consumer is asked to log in or otherwise provide confidential information.
By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to fool up to 5% of their targets. These targets then become victims of credit card fraud, identity theft, and other forms of financial loss.
To avoid this outcome, some websites use a communications protocol referred to as Secure Sockets Layer, or “SSL”. When using SSL, a digital certificate is used in a negotiation process to confirm the identity of a server and to facilitate exchange of encryption keys, resulting in both the server and the client sharing a symmetrical key used for subsequent encryption and decryption of data. As a result of the negotiations, SSL establishes a secure data channel between server and client, in which data passing between the two entities is encrypted.
A digital certificate is a compilation of information that includes the identity of the certificate owner and a public key that can be used to encrypt and sign information digitally. In addition, a digital certificate can contain other information, such as further information about the owner and any Internet domains the owner is authorized to operate from. Digital signatures are used to allow verification of the data contained in the certificates.
In conjunction with the SSL negotiation process, a browser evaluates the digital signature on a received certificate to determine if the certificate has been digitally signed by a trusted third party, known as a “Certifying Authority” or “CA”. The third party is an entity whose business is issuing such certificates and vouching for the identities of their owners. If a trusted third party has signed the certificate, the browser or client can assume that the information contained in the certificate is accurate. Other forms of certificate validation are also available.
Although SSL performs well, it incurs significant overhead, primarily in processing resources. Specifically, the encryption and decryption at the server limit the number of simultaneous clients that a single server can efficiently support.