0:05
Hi folks, Ed Amarossa here.
And I want to talk to you in this video about secure-sockets layer, SSL and
the problem of getting a public key from a CA, so
that I can decrypt a certificate that I've received from, say,
a commerce site that has a certificate signed by the CA using its secret key.
Boy is that a mouthful, right?
If you understood that, that's pretty good.
I'm always surprised that I can say it without getting it all jumbled up, but
here's the idea.
You've just received the certificate from wesellawesomesneakersontheinternet.com.
And it says, hey, we want you to buy our sneakers.
Look here's a certificate.
Embedded in the certificate is that website's public key,
which you can now use to send credit card information over, but to somehow get that,
I have to decrypt the public key of the CA who signed that cert.
Now, the solution to this is also just about as elegant as you can imagine, but
it was invented by a company, a fledgling company in the 90s, called Netscape.
Now, if you share a generation with me, you think of Netscape as the first
browser, as the brainchild of Marc Andreessen, who is now probably the most
famous venture capitalist in Silicon Valley, just an amazing person.
But back in the day, Netscape was a small company that was figuring out its ways and
figuring out how to make money with browsing.
And their idea, in my mind, is one of the great contributions to e-commerce,
in fact, we would have no Amazon, no online selling without the following idea.
Here's what Marc Andreessen's team came up with.
1:46
They said, your browser somehow needs the public key of that CA.
Because if it has a public key of the CA, it could decrypt the cert.
But I don't want users to have to go get the cert.
I'd rather go get the public key.
I don't want to be buying a book, and
then have to go get the public key of the store that I'm buying the book from.
2:10
Here's what they said, and again, so genius.
And if you see this theme of simple,
clean, elegant concepts moving things forward, then you got the right idea.
And here's what Marc Andreessen and the team said.
They said, you've gotta download a browser, right?
Everybody has to download a browser.
So we will put the public keys, burn them in to your browser.
How cool is that?
2:38
You download the browser.
The browser has all the public keys through prearrangement between the CAs and
the browser companies to put them in there.
And to the degree that you trust the download from Netscape or
from Microsoft or from Google or wherever,
if you trust the download, embedded in that, will be a frequently updated
list of valid certification authorities that they've gone off and checked.
It's a closed loop.
Your mom, your friend, you, whatever,
you want to go buy something on the Internet, you download a browser.
You're using the browser.
It's got public keys in there for CAs.
I go to wesellawesomesneakersontheinternet.com
I say, I want to buy this, and he goes, great.
Sends me a certificate, its got their public key.
The certificate is signed by a CA.
My browser does a look up, finds it.
Wow, that's a valid CA.
I have the public key.
I decrypt the certificate.
I get the public key.
I send the credit card information.
And we have the world we live in today.
That's it, that's how it works.
That's why you don't have to do anything to buy something securely on the Internet.
It's like magic.
Now, for some of you with a little bit more experience, and
you're thinking about this, you're going wait a minute, Ed.
There's a lot of problems here.
How do I know the CA is valid?
And how do I know they did a good deal with the browser?
You're right, there's no question that that's an issue.
There's a lot of little seams in the way these things work.
But for the most part, you've gone from no assurance to pretty solid assurance here.
I think you gotta admit that this is a closed loop in
the sense that it provides a means for
me to get my credit card to you without having to go off and look around for
keys, and search a directory or ask somebody for a public key.
I don't have to do any of that.
As long as I download the browser, I have pretty much everything I need.
And I don't need to be a technical person.
I don't need to go to a key exchange party.
I don't need, sort of,
a gear head to accomplish the kinds of things that you see on the Internet.
Now, contrast this with email.
5:00
Where I'll bet you, you and I, whoever you are watching me,
right now, I'll bet you, we couldn't send secure email to
each other without doing a bunch of work, because the infrastructure is not there.
But if you go off and set up a website and
get a certificate then I can buy something for you, and we don't have to meet.
I don't need to know who you are.
We don't ever have to meet.
I can come and use a standard protocol.
Why is it that security commerce it's all worked out, email it's not?
5:35
I think it's just because the financial model is better for security commerce,
that's the reason.
And I wish I could give you a better computer science reason but there isn't.
Its just the reason that's been put together
is because there's such a wonderful business model there.
Nothing evil about that at all, you just need to understand that as a technologist.
A lot of you are probably fledgling entrepreneurs.
Maybe you're thinking about starting a company.
The bottom line is having great technology's going to be important, but
luck and business models, and hitting things at the right time and
knowing what you're doing from a business perspective may be just as important.
Give Marc Andreessen a lot of credit.
We think of him as a great entrepreneur, venture capitalist, but
I think the contributions of that he and his team at Netscape made, in and
around secure-sockets layer, is one of the great contributions of cybersecurity.
So I hope you've enjoyed this.
In the next video,
I'm going to tell you a story that's going to really seem kind of interesting.
I hope if you have some free time, you'll go right onto the next one and
look at our discussion of James Alice and Clifford Cox and some of the real
origins of public e-cryptography that I bet you never heard of.
I'll see you in the next one.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
