04.07.04
 By Mel Davey
About once a week we get asked if we use SSL certificates. The answer
may come as a surprise to our e-commerce friends, considering that
we process hundreds of credit card transactions every month.
SSL stands for Secure Socket Layer. To a man, except to the real techies,
SSL means secure e-commerce transactions on the Internet. So, what's
a secure e-commerce transaction and what do the techies know that
you don't know? Well, in order to understand that, lets first look
at a few SSL details.
Internet
connections make use of various data elements to establish a communication
channel between a host server and a client computer. These data elements
are grouped into functional categories called layers. The communication
takes place via a socket connection. This is simply a specific virtual
connection between computers. A variety of techniques, know as protocols,
using variations in the data elements, can be applied to establish
a connection. One of these protocols uses a Secure Socket Layer. This
is a technique used to encrypt information moving from a host computer
to a browser and from a browser to the host computer. That is, information
in transit on the Internet is encrypted when using this protocol.
You can sometimes know you're using the SSL protocol by the "https;"
at the beginning of a web address or by the little yellow padlock
icon that appears in the lower left corner of a browser. |
To use the SSL protocol, the host computer must be equipped with an
SSL Certificate and a browser must support the protocol. All current
browsers do. The certificate is actually a small software program
that resides on the host computer of a particular domain. The program
encrypts the information traveling between your browser and the host
computer when the SSL protocol is invoked. The certificate also identifies
the domain for which the software was issued. Private companies sell
these certificates to domains wishing to use the SSL protocol.
The magic in SSL is the remarkable job that the certificate companies
have done to convince nearly everyone that an SSL site is a secure
site. This has been a great benefit to e-commerce sites. Consumers
get that warm fuzzy feeling when they see the little yellow lock in
their browser, knowing everything is OK, just before submitting their
credit card information. The truth is that the only time information
using SSL is secure is when the data passes between browser and host.
That is, when the data is in transit on the Internet.
The other piece of magic with an SSL certificate is that it is intended
to verify that a website is who they say they are. To make this happen,
the certificate company must confirm information like domain ownership
before selling the SSL Certificate to an applicant. The confirmation
process is not well defined however, resulting in known cases of certificates
being issued to bogus websites, ostensibly belonging to well known
companies. Another diluting factor affecting the value of the certificate
is the use of machine wide certificates. This is the practice of applying
one SSL certificates to all websites residing in a shared hosting
environment on a single computer. There is no way that this certificate
can validate website ownership. You know the certificate is being
shared if your ISP offers free SSL capability with domain hosting.
To even begin to authenticate a domain, the certificate must be issued
to a specific IP address assigned to a specific domain.
So, by now you probably know the answer to our opening question. We
do not use the SSL protocol with our services. We do, however, use
other proprietary techniques to protect a customer's sensitive information,
including triple DES encryption of sensitive information stored in
databases which themselves are password protected and not directly
connected to the Internet. We also use a whole range of other techniques
to manage, protect, and validate customer information.
The point of mentioning what we do and the point of this article is
not to bash the SSL protocol but, to expose the myth that SSL somehow
provides the security necessary to protect your customer. If you want
to use SSL to make customers happy, sure, go ahead; but, don't think
for minute that you're protecting their information. Here's a challenge:
Cite just one case where credit card numbers have been stolen by a
hacker intercepting the data in transit on the Internet.
Managing and protecting information is a much more complex process
than just having an SSL Certificate. If you are serious about protecting
your customer and securing your website, you can start by reading
a four part article titled, "The Nuts and Bolts of Information Security"
at http://imaginenation.com/Articles/SecurityInfo/index.htm
. This is by no means a definitive work but it can provide the conscientious
merchant with a guideline for getting started at protecting a customer's
sensitive information.
About the Author:
Mel Davey is the creator of ImagineNation (http://imaginenation.com/),
a full service E-Commerce Application Service Provider, offering Storefronts,
Order Management Utilities, and 3rd party credit card processing.
|
| From the Forum: | | SSL cerfificate | Not sure this is the right forum, but none of the others seemed quite right either. How do I go about re-directing a web page from http to https? I have a Verisign SSL certificate and I am on a shared hosting plan with my hosting company. The certificate is part of the plan. ... |
 |
|
