Protecting Ecommerce Against The Man-In-The-Middle

By Rolf Oppliger, Ralf Hauser and David Basin
Published January 2007; Posted August 2007

Abstract:

Most ecommerce applications employ the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols [DR06] to authenticate the server to the client and to cryptographically protect the communication channel between them. It is widely and wrongly believed that these protocols are sufficient to protect Web-based ecommerce applications against man-in-the-middle (MITM) attacks. In an MITM attack, a third party typically “spoofs” or pretends to be the server, to fool the client. End users can be taken in by well-designed emails (phishing) and websites that look authentic (visual spoofing). Theft or forgery can result.
 

About the authors:

Rolf Oppliger, PhD, is the founder and owner of eSECURITY Technologies, a Swiss-based company that provides information security consulting, education, and engineering services. Ralf Hauser, PhD, is the founder and lead architect of PrivaSphere, a Swiss-based company that provides email and ecommerce security services. David Basin, PhD, is a full professor and has the chair for Information Security at the Department of Computer Science at ETH Zurich. He is also the director of the Zurich Information Security Center (ZISC).

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.