MashSSL Alliance Formed to Promote Open Standard for Trust Establishment Between Web Applications

MOUNTAIN VIEW, CA--(Marketwire - November 12, 2009) - A consortium of leading technology companies today announced the creation of the MashSSL Alliance, an organization dedicated to evangelizing the use of the MashSSL technology and specification. MashSSL is an innovative way to use the proven and trusted SSL protocol and trust infrastructure to solve the tricky and serious problem of trust establishment between web applications communicating through an end user at a browser. This is a hard problem as the web applications have to assume that the user in the middle could be a malicious hacker or a legitimate user with a malware infected browser.

The founding members of the Alliance include leading SSL certificate vendors Comodo, DigiCert, Entrust and VeriSign; leading providers of security technology and services Arcot, Cenzic, ChosenSecurity, Denim Group, OneHealthPort, QuoVadis, SafeMashups and Venafi; leading security research institutions Institute for Cyber Security, UTSA, MIT Kerberos Consortium and Secure Business Austria, and noted industry security experts.

"Having been both a vendor and security practitioner, what makes MashSSL such an innovative and elegant solution is the fact that it sits on top of SSL at the application layer and does not disrupt the existing ecosystem -- no new crypto protocols to analyze, no changes to the browser and no new types of credentials," said Lynn Terwoerds, Former Head of Security Architecture & Standards, Barclays GRCB, former Senior Security Strategist, Microsoft, and member of the Cloud Security Alliance. "The ability to significantly reduce the risk involved with online collaboration and transactions opens up a whole new realm of opportunities to both product developers and to security practitioners who need to live in a highly virtualized and cloud based world, where applications and data no longer reside in a single location."

"End users' Web experiences, be it in healthcare or any other vertical, are increasingly an aggregation of data and processing from cooperating Web applications that communicate wholly or partially through the user's browser," said Sue Merk, vice president of business development and product management at OneHealthPort, a coalition of health plans, physicians and hospitals that joined together to build a trusted community where business and clinical information could be shared securely. "Unfortunately, a malicious man-in-the-middle attack or a user infected with man-in-the-browser malware can easily subvert such communications. An open standard to solve this universal problem once, and not in a piece meal ad hoc fashion, has been a long time coming. That it is based on the trusted and familiar SSL certificate infrastructure is a bonus."

MashSSL, which was first developed by application authentication pioneer SafeMashups, has now become an open specification with an open source reference implementation, and is in the process of being standardized.

"Using different proprietary security methods and a multitude of quasi-trusted credentials to solve this fundamental problem is clearly inefficient and will lead to administrative errors which underlie many vulnerabilities," said Siddharth Bajaj, Principal in the Innovation Group at VeriSign and steering committee chair of both the MashSSL Alliance and W3C MashSSL XG. "MashSSL repurposes SSL to create a secure application layer pipe through which open protocols like OAuth, OpenID, OpenAJAX, etc., and proprietary applications like payment provider interfaces can flow in a more secure fashion while leveraging the already existing trust and credential infrastructure."

While MashSSL was originally developed for use with newer mashup technologies, it became rapidly apparent that the protocol can be used in any situation where two Web applications need to communicate through a user's browser, where the user may be malicious or the browser infected with malware. Consequently, the potential field of use for MashSSL is very broad, including potentially underlying identity federation protocols, payment button interfaces, etc.

The initial MashSSL specification and open source reference implementation have been made generally available at www.mashssl.org.