I work for the Internet Business Group at Digital Equipment in Littleton, MA. In that capacity, I end up talking to people from large companies about how they can use the Web for business.
I also have my own personal Web page -- which is content rich and no frills -- which I do for practically nothing and draws a fair amount of traffic and attention. And I'm also a member of the Boston Computer Society.
The Web is a place where both big companies and the tini of operations can thrive.
Richard Seltzer - 11:59am : In a chat session like this things can get pretty frantic. It's sometimes difficult to follow the threads of conversation. And there's no time to write down intering URLs and facts. So last week, I took a copy of the raw transcript and edited it to make the threads clearer and posted it at my own little Web site so anyone could take a look. And as email followup messages came in, I posted those there as well. I plan to do the same today. Barring technical difficulties, I hope to have a transcript up within two hours of when this ends. I'll post it at the same site, naming this one /chat2.html
Richard Seltzer - 12:03pm : By the way, a couple of suggestions to help conversation move along. 1) if you are addressing someone in particular, it's helpful if you use that person's name in your message. 2) since this is a business chat session, I think it makes sense to use our real names rather than pseudonyms (of course, that's a matter of taste.)
Richard Seltzer - 12:00pm : Last week several people sugged that for this week we should focus on quions of Internet security and electronic commerce. With that in mind, I invited a couple of colleagues of mine from Digital to join us today. When you connect, please introduce yourselves.
Russ Jones - 12:03pm : Hi Richard, I'll help with any quions on Internet security or Internet Commerce. I also work in Digital's Internet Business Group and I am responsible for Digital's efforts in CommerceNet -- a consortium of 150 organizations that is working accelerate the use of the Internet for electronic commerce.
Richard Seltzer - 12:05pm : Welcome, Russ. It sometimes takes a few minutes before people connect or before they decide to participate rather than just listen. (By the way, Russ works out of Palo Alto, California).
Alan Kotok - 12:07pm : Hello! This is Alan Kotok. I'm with Digital's Internet Software Business Unit. I am interested in Internet Security issues, and represent Digital at the Worldwide Web Consortium.
Russ Jones - 12:06pm : Ray, that's a very open ended question. The way we look at security is to break into two broad domains. The first deals with network security and the second with transaction security. Which area are you asking about?
Ray - 12:08pm : Russ, transaction security, I have noticed a lot of businesses trading on the net without any security, also, what is the costs related for transaction security?
Alan Kotok - 12:10pm : Ray, let me take a crack. On the Web, some businesses use "secure" servers, which employ protocols like SSL. This protocol uses encryption to both secure the communication, and authenticate the parties to each other. Thisis pretty good stuff. The only question is on key-length, and restrictions on export of very secure keys. But one has to consider the value. It's still too costly to crack for the value you might get.
Ray - 12:12pm : How does a business with a secure server encrypt information that I am sending to them?
Alan Kotok - 12:14pm : Ray, the current generation of web browsers from Netscape (2.0 on) and Microsoft (2.0 on) both incorporate encryption software that is automatically invoked when connecting to secure servers. If you look at the "URL", you'll see https://...
Russ Jones - 12:15pm : Ray, public key cryptography is used as the basis for almost all transaction security mechanisms on the Internet today. Within the transaction security realm, there are two general approaches. The first is to generically encrypt the entire browser/server dialog. This is most typically done using Netscapes SSL protocol. However, because SSL is a "bulk" encryption mechanism, it is rricted by U.S. export laws. Users, or customers, are free to use 128-bit keys domically, but are restricted to 40-bit keys internationally. The second approach is to move the encryption up a level, making it application specific, and removing the "bulk" encryption concerns. A great example of this is CyberCash. Their products only encrypt credit cards numbers. Because of this, they have applied for and been granted by the U.S. government, the right to export a product with 1028 (or 1056?) key lengths.
Russ Jones - 12:19pm : Ray, the cost to deploy secure Web servers varies according to which commercial Web server you use, but in general the commercial cost of deploying a secure solution is only marginally higher than the cost of unsecure Web servers. In fact, if cost is your driving concern, you can side-step the commercial Web servers completely and use the freely-available Apache Web server with embedded SSL support. In spite of the market frenzy around commercial Internet software, the Apache Web server has emerged as the most popular server software.
Richard Seltzer - 12:24pm : Ray -- By the way, there is an Internet Shopping Network that has been on-line for over two years and that was bought out by QVC. It's quite good. They didn't wait for Internet security. For starters they just let people provide their credit card info by FAX or phone and gave them a PIN that they used to identify themselves on line. NB -- don't presume that secure commerce over the Internet depends on the use of security software. Sometimes good old common sense can provide intering and useful alternatives and mixed solutions.
Russ Jones - 12:32pm : Ray, it's hard to say what the Internet industry predicts for itself. Most believe that a robust electronic marketplace is being built on top of the Internet. That's certainly what the member company's in CommerceNet are driving towards. Another aspect of this is that the Internet industry is not just a bunch of startup software company's. CommerceNet's membership is split between the computer industry, the telecommunications industry and the financial industries. All have a ved intered in growing the robustness of the online marketplace. For actual merchants and content providers, this marketplace will be an opportunity to reduce their cost of business as much as it will be to expand the scope of their current business.
Richard Seltzer - 12:10pm : Ellz, where are you? and what can you tell us about your venture? are you mainly intered in selling things retail to a general audience? or are you more intered in business-to-business commerce?
Ellz - 12:14pm : Richard, we're definitely intered in the retail end of things, but there is a strong possibility that some of the products we'll be creating will be wholesaled to other firms. We will probably also have clients who need/want our assistance in merchandising their "stuff." Sorry to be so cryptic, but the Other Guys are probably here too (grin).
Richard Seltzer - 12:15pm : Ellz and anyone else in the startup stage -- the key question I believe is what do you have to lose? The risk involved in doing a transaction on-line should dictate the level of security you require. If we're talking about low-priced items, then there shouldn't be much of an issue. Today's technology seems quite sufficient. And if it's really high-priced items, like cars and houses, you probably wouldn't want to do that on line anyway. (There's lots of conventional ways to close sales of that kind.) Where it gets trickier is if you want to do high-volume, high-risk business-to-business commerce or banking.
Ellz - 12:18pm : Richard, I agree with your point about the risk/cost factor. I think what we'll be doing will work wonderfully in the electronic market: not too costly, the type of business is reassuring (we're not Joe's Used Widget Shop; sorry, Joe). Now that Mastercard and Visa are in some sort of agreement about handling online transactions, I believe the general public will be less wary of using the technology. They know and trust those names; they aren't in the computer business per se; folks are used to using credit with those names attached.
Richard Seltzer - 12:20pm : Ellz -- There are lots of successful sites up now selling on line (my son bought an audio CD from CD Now last night). I don't think that the customers are there yet in droves, but it's growing. It can be convenient for books and CDs where there are many many choices and traditional stores just don't have them all. It's also great for software, where you can download the product immediately.
Russ Jones - 12:27pm : Richard, micropayments
Ellz - 12:24pm : Richard, I'm really intered in the selling information
on line: one of my clients is an institution with enormous amounts of material
that would work to the advantage of the consumer (they can get the stuff)
and to the institution (the staff will not be deluged with impossible-to-fulfill
requs). Please email me more about Millicent at Ellz@world.std.com.
Alan Kotok - 12:26pm : Richard, nice of you to plug Millicent.
I believe that Millicent presents an excellent alternative to advertizing
or subscriptions as a way to reward providers of information on the web.
It is a system where small ($.01 or less) payments can be made without
complex negotiations over each payment. And, with user preferences, it
can become completely invisible to the user.
Alan Kotok - 12:22pm : Russ, we may have beaten this security thing to death. One of the thingsthat always amazes me is that people who hand their credit card to unknown wait-persons at raurants, and are protected by law to $50 loss, are unwilling to use it on an Internet transaction, where realistically, the chances of the card number being read by untrusted third parties is very, very low.
Russ Jones - 12:23pm : Richard, as long as we're talking about secure commerce on the Internet, I should point out that there are some that believe that commerce on the Internet is, or is evolving to be, more secure than commerce in the physical world. A good example of this is the SET proposal being driving by MC/VISA. With SET, the merchant never gets to see the customers credit card number. It is sent in encrypted form from the customer, through the merchant, and onto the bank for clearance. All the merchant ever sees isthe authorization that the transaction is good. This approach eliminates the major point of fraud in the physical world credit card scheme -- which is merchant fraud.
Ray - 12:24pm : Alan the physical presence of a wait-person is more comforting than the unknown presence on the other end of the computer screen. It is very easy to set and close down a transient business on line and that risk is what worries me.
Richard Seltzer - 12:29pm : Ray -- It's all a matter of perception and habit. I was doing a fair amount of business over the Internet just using email -- credit card transactions (I have a merchant account) two and a half years ago, before all the security hype. I never had a problem as a buyer or as a seller. Then all the media hype about security hit, and almost no one is willing to send credit card info in unsecure email (though the same people will readily give that same info to a total stranger, over a cellular phone line.)
Alan Kotok - 12:32pm : Ray, regarding "phony" businesses on the Internet, Russ's description of SET addresses that problem in two ways: (1) The "merchant" can't just sit there and collect card numbers for reuse later. Each charge must be digitally signed by the purchaser, and the card number is not visible to the merchant, and (2) the credit card brands that use SET protect their brand by ensuring that each merchant that accepts SET has a valid contract with a member bank. And then, there is still the fact that, by law, you do not have to pay for charges that are fraudulent, or where you did not receive what you paid for.
Ellz - 12:32pm : I know lots of college-age folks who buy things (mostly CDs and books) over the 'Net without a thought. Is it only those of us who have been beaten around by credit card fraud who worry about such things? I've been working with computers since 1968 and have no problems ordering online when I have some sense that the purveyor of goods is reputable, but I know lots of people my age who aren't as comfortable with computers who are terrified at the thought of using the net. Guess they don't think about anyone overhearing their cordless or cell phone conversations?
Russ Jones - 12:38pm : Richard, if I can be a consumer for second :-), I just bought an airline ticket last week over the Web. I used http://www.pctravel.com/ to shop for one-way fares from Indianapolis to St.Louis. Experience told me that fares would be in the $200-$300 range. When I found the fare for $51, I bought the ticket on the spot. It showed up through postal mail about 7 days later. A truly wonderful experience.
Alan Kotok - 12:38pm : I've purchased a number of airline tickets from a web-based travel agent. I recently purchased an upgrade to my Eudora Pro mail program that was downloaded immediately. In each case, I think I saved considerable money. I've also used on-line catalogs and made telephone calls to execute the purchase. That's a hybrid model, but not to be sneezed-at.
Ellz - 12:42pm : Re online purchasing: I've actually had more luck finding things I needed than in buying them using online transactions. Most of the sites are set up for me to print out a fax order or call them on the phone. But I always mention that I found what I'm ordering on their web site and hope this will encourage them to expand the services they're offering.
Richard Seltzer - 12:42pm : Alan -- With regard to hybrid models, there's an outfit with software that lets customers at a Web site click for an automatic call-back phone call so they can provide their credit card info that way. (It's mentioned in the lat issue of my newsletter at http://www.samizdat.com/news17.html
Alan Kotok - 12:45pm : I'm about to reveal a secret about the Internet: It is not just one big party line! Messages are routed by Internet carriers to their destinations, and, save LANs at the beginning or end of the connection, messages are not broadcast. (Yeah, there is a broadcast service on the Internet, but not for purposefully private communications.) The wires can be tapped. Bugs can be planted. But it's not materially different from the phone system in most respects.
Richard Seltzer - 12:38pm : Another general question -- does anyone out there do secure electronic commerce on someone else's Web server? In other words, are you using a hosting service, rather than running your own equipment? If so, please tell us about your experience -- why you chose that route and whether you'd recommend it for others.
Richard Seltzer- 12:46pm : Also, remember, I'll be posting a transcript of this session at http://www.samizdat.com/chat2.html within two hours of when this ends. And I'd welcome followup correspondence to include there. Last week's transcript is at /chat1.html
Richard Seltzer - 12:50pm : Is anyone out there intered in the topic of intranets for next week? I'd very much like to hear real experience from inside company firewalls. I know what it's like inside Digital, but what happens inside other companies is largely invisible to me. Any takers?
Richard Seltzer - 12:57pm : Signing off. Please join us again
next Thursday noon to 1 PM. And send email with your followup questions.
richard.seltzer@ljo.dec.com or seltzer@samizdat.com
www.samizdat.com