HOME ARTICLES BOOKS CAREER MEMBERS LINKS

The backend is the key to e-commerce success in Asia

by Seamus Phan

When every customer is talking about how secure e-commerce is in Asia, the real key to a secure and safe e-commerce system is not just the web browser, but the suppliers e-commerce infrastructure. 

When you hear the media talk about e-commerce, especially the business-to-consumer (b2c) kind, more often than not, you hear authentication, encryption, credit card verification, and so on. However, not too many people seem to mention that in order that e-commerce be safe in Asia Pacific, the level of encryption is one of the key concerns.

The paranoia of America

The United States of America has determined that encryption algorithms is munition since its inception, and allowed only 40-bit encryption to be exported out of it (excluding Canada). Therefore, most encryption systems employed in web browsers, web servers, and secure e-commerce systems outside the United States are restricted to 40-bit encryption, while the United States and Canada enjoy 128-bit encryption. Of course, the United States claimed that 40-bit encryption is sufficient then, but had to eat its words when they were proven wrong, many times over, by various white-hat hackers who managed to crack 40-bit and 56-bit DES encryption in a few hours, using brute force hacking, with nothing more than personal computers. Although Phil Zimmerman wrote the PGP (Pretty Good Privacy) algorithm some time ago and provided up to 2,048-bit encryption, he was trapped in the US Legal System for a long time before the case was dissolved. Still, PGP did not enjoy any significant level of success, simply because it was an encryption algorithm in need of an e-commerce backbone. To date, no major e-commerce architecture employs PGP.

For users out there, if you need to know how secure your web browser is, just type https://www.fortify.net/sslcheck.html and you will see a page showing the list of keys your web browser can handle. There are a total of 7 possible keys shown, namely, RC4 (128-bit), RC2 (128-bit), Triple-DES (168-bit), IDEA (128-bit), DES (56-bit), RC2-Export (40-bit), and "No Encryption cipher". More likely than not, your web browser (Netscape Communicator, Microsoft Internet Explorer, or Mosaic) should return a string saying "You have connected to this web server using the RC4-MD5 encryption cipher with a secret key length of 40 bits. This is an export-grade encryption connection, widely regarded as being inadequate for sending or receiving sensitive or valuable information across a network. In a crude analogy, using this cipher is similar to sending or storing your data inside a paper envelope - compared to a U.S.-domestic grade cipher which is similar to using a high quality safe to protect your data. The U.S. Government classes this cipher as being suitable for sale to non-U.S. citizens."

If you are planning to set up an e-commerce web site for your organization selling products and services, more likely than not, you will be trapped with 40-bit encryption throughout your system, including routers, firewalls, web server software, and other related solutions. With that, no consumer can feel genuinely safe from ordering products and services from you. Certainly, the business community, through business-to-business (b2b) e-commerce, would find 40-bit encryption anemic at best, and would immediately dismiss and distrust such systems. Banks in Asia would definitely not want to be part of approving an e-commerce architecture for an organization that relies on 40-bit encryption alone.

The grading system for your server

Web servers can be categorized according to their respective encryption capabilities.

Class A servers only accept weak, export-grade 40-bit SSL (secure sockets layer) connections, regardless of the browser being used. This means that even if you are residing in the USA, and connect with a domestic 128-bit Netscape Communicator to such a site, you will still connect at 40-bit level only. The international versions of Microsoft's IIS and Netscape's Enterprise Server fall into this category. These servers are generally regarded as inadequate for any purpose that involves the need for security, privacy, authentication or message integrity. No bank in Asia would trust such a setup and would generally disapprove it for e-commerce purposes. If your organization is only interested in internal semi-secure communications and do not need high-level of security, then a Class A server would suffice.

Class B servers are full, 128-bit capable servers that originate outside the USA, and therefore do not fall under USAÕs munition and national security laws. Their encryption capabilities are not artifically weakened like IIS and Netscape Enterprise Servers made for Asia. Two leading examples of servers under this heading are Stronghold by C2 Net, and Apache-SSL in its various forms. Apache is the favorite amongst e-commerce sites because of its backward compatibility with many scripts and freeware out there, and its extensibility. One of the more well-known Class B servers is run by Thawte Consulting, which provides CA (Certificate Authority) services, similar to companies such as Verisign. However, security at such servers break down to 40-bits when users in Asia connect to them, since the web browsers are artificially weakened to 40-bits. To get the full security for e-commerce, whether b2b or b2c, you need a fortified web browser that can connect at 128-bits. To fortify your web browser, visit http://www.fortify.net/, which provides software patches to patch 128-bit full encryption capabilities to any export-grade Netscape Communicator or standalone Navigator, for platforms ranging from UNIX, Linux, BSD, Windows and Mac OS.

Class C servers are the US domestic equivalent of Class A servers. These servers are manufactured by US-based organizations and is controlled by the US Government. Within USA, Class C servers make up most of the SSL-capable web servers for b2c e-commerce. Export-grade web browsers do not use strong encryption when communicating with Class C servers. A fortified browser can communicate securely with a Class C server. The US Government made changes to its export regulations to relax its accessibility for foreign subsidiaries of US companies, and for specific health and medical organizations. However, if your users are connecting from Asia, their export-grade web browsers are still inherently weak at the knees.

Class D servers are approved under the Verisign Global Server program to provide strong encrypted web services around the globe. Global Server IDs are available only to qualifying US organizations and international financial organizations that hold a Dun & Bradstreet D-U-N-S number. Therefore, most companies in Asia fall outside this "elite" circle.

Recent versions of Netscape's and Microsoft's export-grade browsers are able to perform strongly encrypted communications with Class D servers. Such browsers initially connect to the web server using 40-bit encryption. On connecting, the web browser would recognize the web server's Global Server ID certificate, and promptly closes the connection and re-open the connection at 128-bits. With a fortified browser through fortify.net however, connections made to a Class D server needs only one connection at full 128-bits.

Triple-DES to the rescue at the backend

Triple-DES encryption comes in 2 flavors. One version is DES encryption (56-bits) applied three times with similar keys, thereby achieving 168-bit encryption. The other version, which is more secure but slower and puts more work on your server, is DES encryption applied three times with different keys.

There seems to be a way out currently for Asian companies wishing to conduct high-level secure e-commerce, but working with security vendors that provide Triple-DES (168-bit) envryption that is exportable to Asia Pacific. The first company that has got permission to sell Triple-DES firewalling and virtual private networking (VPN) solutions is Check Point Software Technologies Ltd in Israel (http://www.checkpoint.com/). Their solutions are approved for financial institutions in Australia, Austria, Belgium, Denmark, Finland, France, Germany, Holland, Hong Kong, Italy, Iceland, Japan, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, United Kingdom, Singapore, South Africa and South Korea.

So, how does secure b2b and b2c e-commerce fit in in Asia Pacific with secure ordering systems for organizations? One method would be to work with a bank that offers Triple-DES encryption systems, and leverage on their investments in secured connectivity, while your organization provides the front-end to products and services.

In such a scenario, your organization may be running a small web site on a simple web server, displaying your web site which outlines various products and services. If you hold a merchant account and a credit card account, you can discuss with your bank (assuming that they run a Triple-DES architecture) to consolidate and manage all electronic payments and authentication for you. In a SET scenario, you would have to fork out more than S$100,000 worth of equipment to handle that. In a Triple-DES scenario, because the server system is essentially similar to US domestic servers, and no major investment and reinstallation are needed, the bank may be able to offer secure payment services to organizations more affordably than the SET protocol can, at least in the near future.

Do remember that the connecting web browser must be fortified, or must originate from the USA, since you need a strong web browser that can handle strong encryption. Therefore, for business-to-business e-commerce, organizations should advise their connecting customers to connect using fortified web browsers at all times.

The horizon

SET, or Secure Electronic Transaction protocol, is the initiative touted by the National Computer Board in Singapore, together with key computer vendors and financial institutions to be THE standard for secure e-commerce.

So can an organization assume that the SET protocol will provide all the e-commerce tools it needs? Yes, but theres a catch. For example, in order for a bank to work with an organization in Singapore to provide SET-based e-commerce, the bank must be satisfied of the setup of this organization. Typically, only a few vendors equipment are approved for SET and can handle SET. These SET-compliant servers and backbones cost S$100,000 upwards for a small setup (no pun intended). Therefore, not too many companies in Asia, sitting on a meager 64k leased line paying S$2,000 per month for bandwidth alone, can afford this expenditure.

In the further future, when bandwidth costs come down tremendously (or it may be a pipe dream that never sees the light of day), and e-commerce systems become more transparent and affordable, while improving their handshaking with client software, e-commerce will certainly become a mere commodity in our everyday business environment.

For now, most companies still need either a sizable IT budget, or be ready to embrace a multitude of tools and workarounds for e-commerce systems that will function.

Copyright (c) 1991-1999 Seamus Phan
Seamus Phan
Seamus Phan is a leading author, speaker, trainer and Internet technologist in the areas of quality management, service quality and the Internet's impact on business competitiveness. Based in Singapore, Seamus consults for many international companies, government agencies and smaller companies around the world. More articles, information and ideas are available at http://seamusphan.com or email : seamus@mcgallen.com
Seamus Phan

Books by Seamus

 

 

Google

Copyright © HR-INFO . Online since 1998. All rights reserved.