According to Statistics Canada, 51% of Canadian Internet users ordered goods or services in 2010, plac ing nearly 114 million orders valued at approximately $15.3 billion.
Online shoppers have been taught to look for the symbol of a yellow padlock on a webpage or “https” instead of “http” in the browser before entering private information like credit card details to make a purchase. What many people don’t know is that such websites are secured by “SSL certificates.”
SSL (secure sockets layer) provides private, authenticated, reliable connections between two parties over the Internet.
This article explains how SSL works and why online businesses need them.
History of SSL
SSL was developed in 1994 by Netscape Communications, best known for Netscape Navigator, an early web browser. SSL made it possible to secure communications between web browsers and web servers, which enabled important developments such as secure electronic commerce over the web. Other applications such as file transfer, remote login and email can also be secured.
SSL basics
Knowledge of cryptography, digital certificates and certificate authorities is needed to understand how SSL works.
Cryptography uses encryption and decryption. Encryption converts data (plaintext) into a sequence of numbers and uses an algorithm and another number (called a key) to convert the plaintext into ciphertext, a sequence of numbers. Decryption uses the algorithm and a key to turn ciphertext back into plaintext.
A digital certificate contains information such as who it is issued to, who the certificate is issued by, the public key and the certificate’s expiry date. Some certificates are more “trusted” and secure than others because the issuer undergoes a stricter process to verify the identity of the certificate’s owner other than just verifying the domain name ownership.
For example, extended validation certificates (EVCs) require written signed documentation from the company ordering the certificate, proof of registration from a government agency and proof that the individual ordering the certificate is employed by the company. They also require a telephone verification process. EVCs are more secure and turn your browser’s bar green when your secure transaction is in process.
Certificate authorities (CAs) issue certificates. Popular CAs are VeriSign, GeoTrust, Comodo or Thawte. Browsers like Chrome, Firefox or Internet Explorer recognize CAs so when they’re presented with a certificate they can verify that it was issued by a CA.
How an SSL session works
An SSL session starts with a digital handshake. You request a secure session by typing a web address or URL starting with “https://” rather than “http://.” Your web browser opens a connection to the server, which responds with a digital certificate containing the server’s public key. The web browser authenticates the certificate against its list of known certificate authorities. If all is well, the browser generates a secret random number, encrypts it using the server’s public key and sends it to the server. The browser and server use the shared secret number to generate a key known only to them. With the handshake completed, the two parties use the key to encrypt and decrypt communications between each other for the rest of the session.
When does an online business need SSL?
Your business will need SSL if you accept orders and credit card details online, collect sensitive data from visitors and customers such as addresses, birthdates or ID numbers or share confidential information across multiple locations or offices on the same intranet. •
