SSL Is Still The Only Scalable and Rock Solid Payment Protocol Available
Atul Kahate speaks to Prof. Bebo White, a Stanford professor, noted researcher, and someone who has worked on some of the “Web” standards of today. He discusses Web 3.0, the history of the internet and prevailing security standards and protocols.
AK: What are your thoughts on “Web 3.0”?
BW: I hate this term! I think it makes no sense at this time, although that is loosely used in the literature. I think the focus right now is on and should be on the new Web, which is called as Web 2.0. I do not like that term either, but somehow it has stuck, and I am also using it. Web 3.0 means nothing at this moment. There are no standards, no official body is working on it. So, it would be interesting to see how that shapes up.
“I hate the term web 3.0. Web 3.0 means nothing…”
AK: I am writing a book in the (local) vernacular Marathi on Internet History. I know that you have worked on the Web History project. What are your experiences?
BW: Oh wow! That is wonderful news. Yes, we did work on the Web History project, but there were a number of challenges. People who have created the Internet are on the verge of retirement, or have already retired. So, it is not easy to trace some of them. Secondly, like in any invention, there have been a lot of mistakes made in the development of the Internet. But companies who made those mistakes obviously want not to talk about them now. Hence, it is not easy to get an accurate account of it. But we gathered whatever we could. History of anything is very important, and must be preserved. So, what are you covering in your book? Are you talking about the people involved or the chronology of events or something else?
“It’s not easy to get an accurate account of web history…”
AK: It is a mixture. It talks about how the technology evolved, who were the key people, their idiosyncrasies, struggles, the technology itself, why it succeeded, and so on. For instance, I was so happy to discover during this process that it was an Indian who was the leader of the team which created the FTP and TELNET protocols.
BW (surprised): What? You said, an Indian created these protocols? Meant, he wrote the code for these?
AK: Yes – Professor Abhay Bhushan from Indian Institute of Technology, who went on to MIT. He did not code these themselves, but was the key to writing the RFC documents.
BW: Wow! That is a fantastic piece of information. See – this is what I mean. India should be proud of this achievement.
AK: Sadly, no one knows this.
BW: Exactly. This is precisely what we should work on.
AK: Talking on another subject, what is your take on security trends of today and tomorrow?
BW: Are you talking about any specific situation?
AK: I am mainly asking from the point of view of standardization. We have SSL as the only real protocol that has withstood the test of times for so many years.
BW: Yes, it has. That is the only thing the new generation knows about Netscape! They do not know, for example, that there used to be a browser from this company that was a world leader. And remember, we are talking about times that were not generations ago. We are talking about the 1990s! And so many things seem to have happened so fast that we think it was very long ago! That is what I think has happened to the Web history. People think it is very old because of the pace of events and the sheer number of things that have happened. But actually, it is only a few decades that we are talking about.
“SSL is the only thing the new generation knows of Netscape…”
“Web history is only a few decades old…”
AK: There have been so many online payment protocols, but none succeeded. What is your take on that?
BW: Quite true. I think everybody has got it wrong. Also, the biggest question is, after devising a protocol, can you make it scalable? Can you make it work in all sorts of situations? That is where the problem lies. SSL has succeeded in doing that, and that is why, it is rock solid! People need to learn from that.
“SSL is rock solid…”
AK: A huge criticism of SSL, or for that matter, the whole idea behind Internet Security is the fact that just one company (VeriSign) holds the security of the entire world! If something goes wrong at their end, what would happen? Would the whole thing not collapse?
BW: That’s right. It is a valid concern. But then there are no better solutions available! There was this attempt, what was it called? An alternative to PKI? …
AK: Key rings as in PGP?
BW: Yes – yes. That is the one. But then, it cannot scale. It cannot be used on a commercial basis. It is fine for emails, but not for other applications.
“Key rings – PGP does not scale…”
AK: Taking the same point forward, did you have a chance to work with the likes of Vint Cerf (the person who was the main contributor to the TCP/IP protocol suite) or Tim Berners-Lee (the father of the World Wide Web)?
BW: Vint Cerf – no. But Tim – yes. We were together at CERN. I have met him several times. He also speaks in our Web Conferences regularly.
AK: I have read in a couple of books that he had opportunities to take up lucrative commercial offers, but he decided to concentrate on what he wanted to do, which is very rare.
BW: Yes, that’s right. I am sure he has had several offers. But he just stuck to what he wanted to do. It is pretty rare, actually. Hats off to him!
AK: What are the new trends, you think? Where should we focus?
BW: I think Web Engineering and Web Science are going to be very interesting. At this stage, it is tough to say what they would involve. But I can see they are going to attain a lot of significance. For example, the way we have Software Engineering as a discipline, we would have Web Engineering. What it would have and what it would not, will evolve in due course of time. The trouble is, until then, it is very tough for professors to come up with courses around these subjects. Because students would ask, what would I do with this knowledge?
“Web Engineering will be a separate new discipline…”
BW: Let me ask you a question. What do you think are the challenges when you deal with a subject like security?
AK: I would look at it from a two-step process. One is the design. For example, do I need authentication, if yes, of what kind. How would I take care of network security related issues? And so on. Then I would worry about algorithms.
BW: I see. Ok, what would be your take on the algorithms? Would you use AES? Would that not make things slow?
AK: I would go for Blowfish, I think. Fast, simple, and designed by none other than Bruce Schneier himself!
BW: I would tend to agree. Just wanted to know your views.
Related
* Security Assertion Markup Language (SAML)
* Xml Security using Xml Encryption and Xml Digital Signature
* Security and Threat Models – Secure Electronic Transaction (SET) Protocol
good