As we all know (well, all internet savvy people know) you should never submit personal details of any kind over clear HTTP connections. You should always look for the padlock that signifies HTTPS ( e.g. ). For the people that go the extra mile, you should also verify the validity of the SSL certificate associated with the page you are on.
This information has been standard advice for years so i’m not teaching anyone anything new here.
This is all fine in theory. However, I have been amazed by the number of sites recently that seem to have URLs that bear no resemblence to the site that you have accessed. For example, one of my credit cards is issued by a major UK supermarket. However, when trying to sign into their online banking, the URL that I am presented with is “https://cardsonline-consumer.com”. Without some digging into the properties of the X.509 certificate, it is not obvious that I am on the correct site and that I haven’t been redirected to some hacking site. Similarly, today I went to purchase a gift for a friends birthday from http://www.frangrancedirect.co.uk and in order to pay online I was redirected to “https://www.ecgb.com”. As with the previous example, there was no obvious indication that this was the correct site until I traced it back to a UK bank. I realise that many of these services are hosted by third parties, however, there are a number of ways that this problem could be overcome easily.
You would have thought that with all the hype about the security of internet transactions that there have been in the last few years, companies providing these transactions would put a bit more thought into making the process of confidently shopping online, easier for Joe Public.
Technorati Tags: security, shopping, banking, SSL, X.509
For the few people on the planet that didn’t hear the news yesterday, Mozilla announced the release of Firefox 2. This long awaited browser is finally out and looking good. For a full list of the new features, follow this link (here).
I downloaded the software yesterday and whilst I was surprised at first that I was able to get it at all (I assumed all the download sites would be maxed out), I was also surprised that 12 out of my 14 plugins upgraded and worked seamlessly with v2 from the outset.
Another great release from the folks at Mozilla.
Technorati Tags: browser, firefox, mozilla, web2.0
Next month Oracle are holding an Enterprise Architects Club in London. One of my main reasons for attending will be to listen to John Madelin of BT talking about Identity Federation.
Anyone else who is planning to attend, please drop me a line and we can meet up.
Technorati Tags: architect, security, identity, conference
Ping Identity recently published a post detailing some thoughts from a breakout session of the Federated User Group meeting on federation and how strong authentication can be handled (here). It was also commented on by my ex-colleague and friend, Paul Squires.
I find the entire subject extremely interesting at the moment since my current project is addressing this exact problem. We are implementing a federated architecture in which the user is required to strongly authenticate at their Identity Provider. Alot of the discussions of the Federated User group were perfectly inline with what I am finding on my project. Paul also makes a good point about issues such as staged authentication and how these can be addressed.
One thing that I have found varies greatly among the various vendors of federation products (especially the ‘suite’ manufacturers) is the different ways in which they support tags such as the “AuthenticationContext”. Wilst some vendors (mentioning no names) will respect this attribute and allow you to assign trust levels based on it, others seem to completely ignore it.
As usual the discussions at the user group included discussions on liability. As Paul quite rightly points out, I think this is the main problem holding back more widespread adoption of federation deployments within the UK. In the years I have been working with federation, I have seen a change with more companies prepared to invest the time and money, not just in the technology, but also in the associated business arrangements. I think this will continue to be the case over the next 12-18 months.
Technorati Tags: authentication, federation, SAML, identity, sso, business
I have just finished reading Philip Pulman’s Dark Materials Trilogy. It was recommended by my sister and brother in-law who both thoroughly enjoyed it. I always blow a bit hot and cold with fantasy fiction and have started but given up on a number of these types of books in the past. Terry Pratchett springs to mind as one of those authors whose books I have never managed to get into.
However, since my sister recommended the trilogy, I thought I would give it a go. I must say, I was hugely impressed with the trilogy as a whole. They encompass some great characters with a mix of storylines all hanging around the central theme. Individually, I had mixed thoughts about the individual books.
The first book is Northern Lights. Whilst I enjoyed the book, I found it a little slow to get into. However, it did give you a good introduction into the characters. The pace picked up in the second book, The Subtle Knife and started to bring the story together. However, by the time I got the rather large third book, The Amber Spyglass, I was hooked and couldn’t put the book down.
You can always tell a good book because you spend every spare minute reading it. This was the case. My only slight embarassment was when I went into the library to ask for the 2nd book and was told it was in the “Teenage Fiction” section. Not sure a 31 year old guy should be reading teenage fiction. Oh well, at least it was recommended by my older sister!!