External Resources

There are many sources of information on how TLS/HTTPS is a strong solution to the problem of Phishing:

An Introduction to the SSL Protocol

  • An Introduction to Mutual SSL Authentication: Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. In technology terms, it refers to a client (web browser or client application) authenticating themselves to a server (website or server application) and that server also authenticating itself to the client through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs). Because authentication relies on digital certificates, certification authorities such as Verisign or Microsoft Certificate Server are an important part of the mutual authentication process. 
  • How SSL-TLS Works: SSL, and its successor, TLS is a protocol that operates directly on top of TCP (although there are also implementations for datagram based protocols such as UDP). This way, protocols on higher layers (such as HTTP) can be left unchanged while still providing a secure connection. Underneath the SSL-TLS layer, HTTP is identical to HTTPS.

Important Technical Details:

The Financial Services Technology Consortium's White Paper on Mutual Authentication

  • Position Paper for W3C Workshop on Transparency & Usability of Web Authentication: Motivated by concerns that customer confidence in the online financial services channel is waning due to perceptions of vulnerability to fraud, FSTC’s “Better Mutual Authentication” Project has convened a group of major financial institutions, industry associations, technology vendors, and government entities to examine the larger problem of authentication within the context of online retail financial services. This paper presents a few of the project participants’ insights into the challenges of Web authentication and how to improve it; many of which have applicability beyond the financial services industry.

Academic Review of TLS and TPM

  • Preventing Phishing Attacks Using Trusted Computing Technology, 2nd Location: Most secure web sites use the SSL/TLS protocol for server authentication. SSL/TLS supports mutual authentication, i.e. both server and client authentication. However, this optional feature of SSL/TLS is not used by most web sites because not every client has a certified public key. Instead user authentication is typically achieved by sending a password to the server after the establishment of an SSL-protected channel. Certain attacks rely on this fact, such as web spoofing and phishing attacks. In this paper the issue of online user authentication is discussed, and a method for online user authentication using trusted computing platforms is proposed. The proposed approach makes a class of phishing attacks ineffective; moreover, the proposed method can also be used to protect against other online attacks.

SANS Overview of Authentication Solutions

  • Secure Authentication on the Internet: Malicious applications targeting financial account information have increased dramatically over the last years. The number of online applications is growing strong. The ease of use of the Internet and the growing user base make a perfect target for criminals. Attacking thousands of users is achievable with only one click. The methods used by these criminals vary immensely, but they have one thing in common: they are getting more and more sophisticated. With these increasing threats, governments are issuing stronger legislations and companies are realizing that their current systems can not thwart current attacks anymore. To counter these threats, current authentication systems have to be adopted. Not only the criminal side has made advances in the last years. The security industry developed new mechanisms and protection systems to thwart even the most sophisticated attacks. This paper covers current Internet authentication mechanisms and possible attacks. It helps the reader to understand todays issues with authentication mechanisms. To understand the attack vectors, one has to know the current attack trends. Authentication systems can be classified according to their resistance against common attacks. Ten different authentication systems will be introduced and classified accordingly.

Real World Usage in Estonia

A Patent on a Novel Approach to Digital Certificates

  • Identity-independent authentication tokens: Identity-independent authentication tokens enable issuance of a single strong credential that can be mapped to an individual at each of multiple accounts within the online world. An issuer generates one or more authentication tokens for issuance to individuals or other entities. In some instances, each of these authentication tokens comprises a unique serial number. The individual or other entity may then request an authentication token from the issuer. The issuer may then issue the token to the individual without the need to ask or require the individual to identify his or herself. The individual may then map this issued authentication token to the individual's password at each of the individual's online account.