MashSSL Alliance Formed to Promote Open Standard for Trust Establishment Between Web Applications

  MOUNTAIN VIEW, CA, Nov 12 (MARKET WIRE) -- 
A consortium of leading technology companies today announced the creation
of the MashSSL Alliance, an organization dedicated to evangelizing the
use of the MashSSL technology and specification. MashSSL is an innovative
way to use the proven and trusted SSL protocol and trust infrastructure
to solve the tricky and serious problem of trust establishment between
web applications communicating through an end user at a browser. This is
a hard problem as the web applications have to assume that the user in
the middle could be a malicious hacker or a legitimate user with a
malware infected browser.

    The founding members of the Alliance include leading SSL certificate
vendors Comodo, DigiCert, Entrust and VeriSign; leading providers of
security technology and services Arcot, Cenzic, ChosenSecurity, Denim
Group, OneHealthPort, QuoVadis, SafeMashups and Venafi; leading security
research institutions Institute for Cyber Security, UTSA, MIT Kerberos
Consortium and Secure Business Austria, and noted industry security
experts.

    "Having been both a vendor and security practitioner, what makes MashSSL
such an innovative and elegant solution is the fact that it sits on top of
SSL at the application layer and does not disrupt the existing ecosystem
-- no new crypto protocols to analyze, no changes to the browser and no
new types of credentials," said Lynn Terwoerds, Former Head of Security
Architecture & Standards, Barclays GRCB, former Senior Security
Strategist, Microsoft, and member of the Cloud Security Alliance. "The
ability to significantly reduce the risk involved with online
collaboration and transactions opens up a whole new realm of
opportunities to both product developers and to security practitioners
who need to live in a highly virtualized and cloud based world, where
applications and data no longer reside in a single location."

    "End users' Web experiences, be it in healthcare or any other vertical,
are increasingly an aggregation of data and processing from cooperating
Web applications that communicate wholly or partially through the user's
browser," said Sue Merk, vice president of business development and
product management at OneHealthPort, a coalition of health plans,
physicians and hospitals that joined together to build a trusted
community where business and clinical information could be shared
securely. "Unfortunately, a malicious man-in-the-middle attack or a user
infected with man-in-the-browser malware can easily subvert such
communications. An open standard to solve this universal problem once,
and not in a piece meal ad hoc fashion, has been a long time coming. That
it is based on the trusted and familiar SSL certificate infrastructure is
a bonus."

    MashSSL, which was first developed by application authentication pioneer
SafeMashups, has now become an open specification with an open source
reference implementation, and is in the process of being standardized.

    "Using different proprietary security methods and a multitude of
quasi-trusted credentials to solve this fundamental problem is clearly
inefficient and will lead to administrative errors which underlie many
vulnerabilities," said Siddharth Bajaj, Principal in the Innovation Group
at VeriSign and steering committee chair of both the MashSSL Alliance and
W3C MashSSL XG. "MashSSL repurposes SSL to create a secure application
layer pipe through which open protocols like OAuth, OpenID, OpenAJAX,
etc., and proprietary applications like payment provider interfaces can
flow in a more secure fashion while leveraging the already existing trust
and credential infrastructure."

    While MashSSL was originally developed for use with newer mashup
technologies, it became rapidly apparent that the protocol can be used in
any situation where two Web applications need to communicate through a
user's browser, where the user may be malicious or the browser infected
with malware. Consequently, the potential field of use for MashSSL is very
broad, including potentially underlying identity federation protocols,
payment button interfaces, etc.

    The initial MashSSL specification and open source reference implementation
have been made generally available at www.mashssl.org.

    

General Media Contact:
Elizabeth Safran
Looking Glass Public Relations for the MashSSL Alliance
+1.212.740.1037 (office)
+1.408.348.1214 (cell)
Email Contact
www.lookingglasspr.com

Copyright 2009, Market Wire, All rights reserved.

-0-