Users may face difficulty in determining the security of online communications and/or ensuring online communications are secure. Online communications may include transmitting or receiving data over electronic networks such as for example transmission of sensitive data, or documents containing sensitive data, performing sensitive transactions, or other electronic communications. Electronic networks may include for example the Internet, enterprise intranet, cellphone networks, wireless networks, or any other electronic communication channel.
FIG. 1 illustrates an example of online communications. As FIG. 1 shows there are numerous components involved when a user is communicating online. A client 140 may include electronic devices such as a computer, laptop, cellphone, WiFi client, WiMax client, bluetooth client, portable electronics device, Blackberry, iPod, iPhone, or the like. The client may include a software application such as for example a web browser operated by a user. In determining trust, the software application may access one or more Trusted Root Certificates (also sometimes referred to as “root certificates”).
The client 140 may be subverted, or be vulnerable to attacks such as for example: malware, virus, Trusted Root Certificate manipulation, man-in-the-browser, or the like. The client 140 communicates through a network entry component 120.
The network entry component 120 may be a wired or wireless component. The network entry component 120 may intercept and/or manipulate traffic such as for example DNS hijacking, DNS spoofing, proxy injection (either transparent or visibly), or the like. The network entry component 120 may be spoofed, hijacked, masquerade as another, evil twin, compromised, provided with malicious or incorrect information, manipulated, or act as a man-in-the-middle (MITM). This may occur with or without the users knowledge. The network entry component 120 connects the client 140 through a network 110.
The network 110 may facilitate electronic communication between entities. The network 110 may contain malicious hops or intermediary's that intercept and/or manipulate communications. The network 110 may be one or more of the Internet, cell phone network, wireless network, or any other electronic communication channel. The network 110 may facilitate communications with one or more destinations 100A, 100B, 100C where a destination may be a website.
A destination 100A, 100B, 100C may be identified by for example using secure credentials such as a server certificate, or less secure identification such as a hostname, IP address, alias, or the like. However, such identification may confuse a user, or contain misleading details, or otherwise be manipulated by a malicious attacker. Online communications using Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) may be more secure but are reliant on the underlying technology as well as the user being able to parse and understanding all of the various details contained in an SSL/TLS server certificate and certificate chain.
When a user communicates online they may not be aware of or understand all of the underlying technology in use and may face difficulty determining how safe or secure their communications may be. The underlying technology may include:                Networking details (transport layers, hops, routes between client and destination, Domain Name Servers (DNS), what entities may have access to their transmitted, etc. . . . ).        Network security of their endpoint (wired network, wireless network, mobile network, enterprise, etc. . . . ). For example: wifi hotspots, motel, airport, coffeshop, student campus, work environment, friends LAN, WiMax network, etc. . . .        Whether appropriate security of the client is in place. For example: client-side antivirus software configured and running, etc. . . .        What technology is in place. More and more electronic devices are portable and used by users to roam, during roaming the underlying communications technology may change from one location to another. Users may roam and travel and use networks provided at motels, coffee shops, Wifi hotspots, WiMax networks, Internet providers, visiting client offices, or the like.        Using an unknown or uncontrolled computer (such as at a library, friend or relatives computer, work computer, or the like)        Rogue or misconfigured entity (network, network entry, access point, client-side software, malicious intermediary, name servers, etc. . . . )        Destination content. For example: using a HTML web form—where their data will be transmitted to or information about the communication channel, forms may be redirected to different location than what user thinks, or malicious javascript may intervene to redirect data or traffic. Another example: destination content may contain security or design flaws that a user may not be able to recognize        Using an unknown or uncontrolled network (for example: roaming with a laptop, iPod, iPhone, WiFi client over a wireless network)        State of Trusted Root Certificates of computer being used        State of vulnerabilities or patches of any or all technology being used (computer, web browser, anti-virus, anti-malware, or the like)        
Users may face difficulty with X.509 certificates such as one or more of:                Understanding various technical details of a X.509 certificate        Understanding how X.509 certificates relates to a security model such as SSL/TLS, VPN, SMIME, or the like. For example, a user may face difficulty in identifying a destination using a X.509 certificate        Differences between the Issuers, Policies, certificate types of X.509 and/or SSL/TLS certificates. For example, each Issuer may comply with different policies, as well an Issuer may have more than one policy.        Differences in policies in place and enforced. For example: different Certification Authorities (CAs) may use different Certificate Policy Statements (CPS) that vary in scope and intent in what they are certifying. Users may not have the ability or time to thoroughly examine such details, or they may later confuse or even forget relevant details.        Amount of due diligence by a Certification Authority (CA) in ensuring or validating the identity of an entity when certificate issued        The possibility of a weak key being used (for example, a recent weakness in Debian OpenSSL implementations were as a result of weak random numbers being used)        The encryption strength of a communication channel        What details are relevant for assessing security of a certificate chain        How long a public key pair have been in use. For example: some CA's allow re-certification or renewal of the same public key multiple times thus exceeding what a certificate may show as the age of a key, the longer a key is in use the more likely it may be broken or brute force cracked        Web browser certificate policies, zones, rules or the like        Ramifications of one type of certificate over another such as proxy certificates, Trusted Roots, certificate types, intended uses of a certificate        Variances in certificate path construction        Amount of due diligence underlying applications perform verifying or validating security, or entities. For example, in an online web browsing environment, users cannot easily tell whether the web browser performed revocation checking, or to what extent they verified or validated the destination website.        
Users may face difficulty with what the boundaries or thresholds are acceptable for different types, modes, or operations of online communications. For example:                What protocol(s) should be used under what circumstances and when one is required over another. For example: SSL may be used even in an insecure network as long as the destination certificate passes some tests.        What level of cryptography is sufficient for the purpose of the online communication (such as transmitting sensitive data, transmitting a document containing sensitive data, performing a transaction, or the like). For example: personal email may not require the same level of security as online banking        Differences in certificates. For example: some CA's have different levels of certification that might be acceptable for different grades or levels of transactions.        
Users may face difficulty knowing or keeping up to date with the latest security happenings such as one or more of:                Status changes for an entity or component. For example, a destination may become suspicious or unacceptable. Another example, a pattern or characteristics may emerge of the types of destination or software used of destinations as being vulnerable to an attack. Another example, information provided by an entity (such as DNS or DHCP servers) may be invalid or malicious. Another example, discovery of a security flaw in a software application such as the recent Debian OpenSSL weak random number generator.        Client software patches (e.g. web browsers, firmware, cellphone, iPods, iPhones, . . . )        Latest security updates, happenings, news, changes that affect security for communicating online        Latest best security practices. For example—cryptographic algorithms, cryptographic key sizes, communication protocols, procedures, policies, or the like        Evolving changes to SSL/TLS (versions, patches, etc. . . . ), X.509 certificates, certificate types (such as Extended Validation (EV)), Trusted Root Certificate changes, Object Identifiers (OIDs), certificate extensions, certificate path construction, protocol updates and deprecation of older versions, or the like        Latest safe and unsafe destinations. As data breaches continue to occur, end users may find it difficult keeping up with which are safe and which are unsafe.        
Users may face difficulting evaluating the level of security provided or performed by software applications. Additionally, there may be inconsistency or differences from one web browser to another, or even from one version to another.
In environments such as for example an enterprise network—a hetereogenous mixture of web browsers and/or versions may be deployed and in use. This may cause difficulties for the enterprise in understanding or controlling online communications. Additionally, each different vendor or version may decrease or worsen security. This may also increase the amount of testing required to ensure all web browsers are fully tested, and/or know which vulnerabilities potentially exist. Also users may face difficulty in knowing or keeping up to date with vulnerabilities as they are discovered.
Users may face difficulty in obtaining information needed to evaluate the risks or security of communicating online. For example, some devices may not readily provide certificate or SSL information such as current versions of the Apple iPhone or Apple iTouch. Another example, some devices may be too small to display SSL or certificate details. Another example, on some devices it may be too cumbersome to display certificate details—so certificate details may be left out or omitted.
Users may face difficulty evaluating the level of security present. The same device may present different security risks when used in different locations. Communicating using the same portable device used in one location may be safer than in another location. For example: a user using a Wifi client device may be safe connecting to their home Wifi access point but the same Wifi client device may be unsafe to use in a motel or coffee shop.
Different devices used in the same location may present different security risks. For example, a Blackberry device used in a WiFi hotspot may provide different security risks than an iPhone in the same location. However, it may be challenging for a user to distinguish such differences.
Networks may differ in the level of security they provide. For example: different vendors of the same network type (e.g. WiFi, WiMax, . . . ) may be implemented or configured differently and pose different security risks.
Network providers or wireless network aggregators may differ in terms of security that they provide. For example, Internet Service Providers (ISPs), coffee shops with Internet service, WiFi hotspots, or the like may each provide a differing level or security (or no security at all).
In a home family environment, some family members may face difficulty in protecting their online communications adequately. For example: parents may wish to protect their children from online predators or adult content, a working family member may need to communicate appropriately with their work. Another example: children may communicate online and face predatory aggressions through emails, instant messages, social networks, or the like.
A user may require user training or education in understanding and distinguishing one or more of security vulnerabilities, attacks, holes, or the like.
A user may face difficulty knowing what level of security is appropriate for different environments or what the level of security is for a specific communications environment. Attackers have a variety of attacks at their disposal that are ever evolving, as well the technology evolves or new technology comes into play.
Enterprises (such as employers, companies, organizations, or groups) may face difficulty in controlling or helping their users manage online communications.
The above are but a sample of the attacks or holes or variations, many more are possible.
Improvements in the area of the security of online communications may be useful.