Unfairly or not, many people are stuck with the impression that wireless devices don't provide the same level of security that the wired Internet does.
In particular, security concerns have dogged the Wireless Application Protocol, a standard for regulating how data is exchanged between wireless devices. The technology has taken a beating across the board from critics who have complained that WAP is too slow and that it has been overhyped. WAP's security problem has to do with its current implementation: When encrypted data is sent from a client WAP device, it is decrypted by the wireless service provider's WAP gateway and then re-encrypted before the data is sent over the Internet. That means for a split second, the data for every WAP session is unencrypted on the wireless carrier's gateway.
Scott Goldman, chief executive of the WAP Forum, the industry body that oversees the specification, equates this potential security problem to a 1-inch hole in a 100-foot wall. "In practical terms, the chances of a possible security breach [in the existing version of WAP] are one in a billion," he says. Nevertheless, that tiny vulnerability has been a huge sticking point for some customers, including financial institutions, unwilling to adopt WAP's "two-zone" security model.
So the technology suppliers were forced to fix it. The most recent specification from the WAP Forum will let companies set up secure connections directly with WAP devices, bypassing the wireless carrier's gateway.
Phone.com, one of the main players driving WAP, last week announced software that will let customers set up such secure connections based on the new WAP Forum specification. Due in the first quarter of 2001, Phone's Secure Enterprise Proxy server will support existing WAP handsets with a technique known as tunneling. However, in that case, the encrypted data will still travel through the carrier's WAP gateway. With a future version of its Up.Link client browser, also due in early 2001, Phone will provide a way for WAP handsets to dynamically reconnect with a company's Web site via the proxy server so even the encrypted data doesn't pass through the wireless operator's gateway.
"This is the highest-level security that will be available on the wireless Internet for quite some time," says Kevin Ellis, senior product marketing manager at Phone.
But to get the full dynamic proxy navigation to bypass a wireless carrier's gateway, customers will have to wait at least a year until phones that incorporate version 5.0 of Phone's browser are on the market, Ellis says.
Nokia, which also sells WAP gateway software, provides security features in its system but isn't yet able to dynamically connect client WAP devices to enterprise gateways.
The new WAP security technologies finally put to rest a nagging problem, says Iain Gillott, an analyst at International Data. "It removes one of the big complaints about WAP and security," he says.
In addition to sealing up the two-zone security gap, the new WAP security specs will support public key infrastructure for stronger authentication. That has companies such as Certicom and RSA Security, which provide encryption and digital signature technologies, ramping up with wireless equipment makers.
Certicom, for example, has licensed its technology to more than 100 wireless device and equipment companies, including Motorola, Research In Motion and Sony, says Prakash Panjwani, senior director of wireless solutions at Certicom. He says there is a big opportunity to provide security technologies for wireless applications because companies are starting to put in the infrastructure to handle wireless transactions.
