Consumer-driven secure sockets layer modulator

US 9,438,570 B2
Filed: 02/12/2007
Issued: 09/06/2016
Est. Priority Date: 02/10/2006
Status: Active Grant

First Claim

Patent Images

1. A client computer based method for executing a secure electronic transaction over a communications network, the method comprising:

querying, by at least one data processor, an exclusion list with a domain name associated with a transaction site to determine if a security of the transaction site needs verification, the exclusion list comprising one or more domains that do not require a secure channel for communication;

when the transaction site is not on the exclusion list and the electronic transaction does not include information sent from the client computer, the electronic transaction being encrypted with a public key, initiating, by at least one data processor, the verification by querying an allowed list with the domain name to determine if the transaction site is allowed to continue the electronic transaction; and

when the domain name of the transaction site is not on the allowed list, by at least one data processor;

generating a first notification for a user indicating that the electronic transaction is being conducted with an unsanctioned transaction site,receiving input from the user based on the first notification, andceasing the electronic transaction, andadding the domain name associated with the transaction site to the exclusion list, the exclusion list being specific to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A software system and method for executing secure commercial transactions online is disclosed. The system intercepts and verifies, against consumer provided inputs, Secure Socket Layer (SSL) communications from normal Web browser usage. The system can include a software module loaded onto the consumer'"'"'s client computer, and which uses independently-derived look-ups to associate a web domain name with its SSL public key to verify that a given web session is appropriately encrypted.

Citations

14 Claims

1. A client computer based method for executing a secure electronic transaction over a communications network, the method comprising:
- querying, by at least one data processor, an exclusion list with a domain name associated with a transaction site to determine if a security of the transaction site needs verification, the exclusion list comprising one or more domains that do not require a secure channel for communication;
  
  when the transaction site is not on the exclusion list and the electronic transaction does not include information sent from the client computer, the electronic transaction being encrypted with a public key, initiating, by at least one data processor, the verification by querying an allowed list with the domain name to determine if the transaction site is allowed to continue the electronic transaction; and
  
  when the domain name of the transaction site is not on the allowed list, by at least one data processor;
  
  generating a first notification for a user indicating that the electronic transaction is being conducted with an unsanctioned transaction site,receiving input from the user based on the first notification, andceasing the electronic transaction, andadding the domain name associated with the transaction site to the exclusion list, the exclusion list being specific to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method in accordance with claim 1, further comprising, if the transaction site is on the allowed list, retrieving an encryption key for the transaction site from a known public key list.
  - 3. A method in accordance with claim 2, further comprising determining if the encryption key received from the transaction site matches the public key from the known public key list.
  - 4. A method in accordance with claim 3, if the encryption key received from the transaction site does not match the public key from the known public key list, generating a second notification of a potential issue for the user.
  - 5. A method in accordance with claim 3, if the encryption key received from the transaction site matches the public key from the known public key list, continuing the electronic transaction with the transaction site.
  - 6. A method in accordance with claim 1, wherein the querying the exclusion list with the domain name of the transaction site further includes comparing the domain name associated with the transaction site with a list of domain names in the exclusion list.
  - 7. A method in accordance with claim 1, wherein the querying the allowed list with the domain name further includes comparing the domain name associated with the transaction site with a list of domain names in the allowed list.

8. A client computer based method for executing a secure electronic transaction over a communications network, the method comprising:
- intercepting, by at least one data processor, secure socket layer (SSL) communications with a transaction site on a server; and
  
  verifying, by at least one data processor, that a web session associated with the SSL communications is appropriately encrypted, the verifying comprising;
  
  querying an exclusion list with a domain name of the transaction site to determine if a security of the transaction site needs verification, the exclusion list being specific to a user and comprising one or more domains that do not require a secure channel for communication;
  
  when the transaction site is not on the exclusion list and the SSL communications do not include information sent from the client computer, the SSL communications being encrypted with a public encryption key, querying an allowed list with the domain name to determine if the transaction site is allowed to continue the electronic transaction; and
  
  when the domain name of the transaction site is not on the allowed list, generating a notification for a user indicating that the electronictransaction is being conducted with an unsanctioned transaction site, receiving input from the user based on the notification,ceasing the electronic transaction, andadding the domain name associated with the transaction site to the exclusion list.
- View Dependent Claims (9, 10, 11, 12)
- - 9. A method in accordance with claim 8, wherein the querying the exclusion list with the domain name of the transaction site further includes comparing the domain name of the transaction site with domain names in the exclusion list.
  - 10. A method in accordance with claim 9, wherein the querying the allowed list with the domain name further includes comparing the domain name of the transaction site with domain names in the allowed list.
  - 11. A method in accordance with claim 8, wherein the verifying further comprises comparing a SSL public key of the transaction site with a known public key list.
  - 12. A method in accordance with claim 11, further comprising determining if the SSL public key of the transaction site matches the public encryption key in the known public key list.

13. A client system for executing a secure electronic transaction over a communications network, the system comprising:
- a secure transaction module configured to intercept secure socket layer (SSL) communications from a transaction site on a server; and
  
  at least one data processor associated with the secure transaction module, the at least one data processor being configured to verify that a web session associated with the SSL communications is appropriately encrypted by;
  
  querying an exclusion list with a domain name of the transaction site to determine if a security of the transaction site needs verification, the exclusion list being specific to a user and comprising one or more domains that do not require a secure channel for communication,when the transaction site is not on the exclusion list and the SSL communications do not include information sent from the client computer, the SSL communications being encrypted with a public encryption key, querying an allowed list with the domain name to determine if the transaction site is allowed to continue the electronic transaction; and
  
  when the domain name of the transaction site is not on the allowed list,generating a notification for a user indicating that the electronic transaction is being conducted with an unsanctioned transaction site,receiving input from the user based on the notification,ceasing the electronic transaction, andadding the domain name associated with the transaction site to the exclusion list.
- View Dependent Claims (14)
- - 14. A system in accordance with claim 13, further comprising a public key table accessible by the secure transaction module and having a list of known public encryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fair Isaac Corporation
Original Assignee
Fair Isaac Corporation
Inventors
Milana, Joseph P., Crawford, Stuart L., Martin, Ronald L.
Primary Examiner(s)
Reagan, James A

Application Number

US11/705,663
Publication Number

US 20070291936A1
Time in Patent Office

3,494 Days
Field of Search

705/64
US Class Current

1/1
CPC Class Codes

G06Q 20/38   Payment protocols; Details ...

G06Q 20/382   insuring higher security of...

G07F 7/084   Additional components relat...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

Consumer-driven secure sockets layer modulator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Consumer-driven secure sockets layer modulator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links