Why Use SSLThe Internet and commerce are synonymous now. Not only is traditional business taking place on the internet, new forms of business are being explored, and evolving. To take part in this revolution, people are being forced to entrust more and more of their personal, and highly sensitive information to online businesses - and often its to businesses they will never actually see, other than as an image on their screen. Business owner's know, public trust is hard to earn and easily broken. For owners and operators of websites to earn and keep a good reputation, and ultimately avoid lawsuits, they must protect this highly sensitive information that their visitors, and customers have entrusted to them over the Internet. SSL encryption, a form of cryptography which encapsulates the user interaction with the website, is one of the strongest tools presently available to protect that information. Sensitive Information At RiskSay you wanted to check your bank balance online. You would no doubt need to enter your assigned user credentials, either a username and password, or an access card number and password, or some combination of personally identifying information. If some unscrupulous person got this information, he or she could log into your bank account and do anything you can do, from wherever they are - because there's no real way to distinguish them from you when all there is to identify you is a set of characters you enter. Your local teller wont notice it isnt you, and the bank wants to make it easy for you to access your account from wherever you want. Thus, ensurig that it is you, and only you, accessing your bank account is a problem. Because of the nature of the Internet, it is relatively easy for a hacker to listen in on data passing back and forth between your computer and the bank's Web server. Your data flies around at amazing speeds - but it travels in such a manner that it can be intercepted, and forwarder on without compromise. This is both by design, to ensure quick and efficient routing of the information, and unfortunately, by leglisation by our law makers (a topic for another day)., Unfortunately, the very tools that are there to keep us safe are able to be coerced into use by less than kind persons, with the intention to intercept, and scavenge data from those electronic streams - a so called "man-in-the-middle" attack. Their presence is virtually undetectable without extremely sensitive equipmebnt - and as such physical security is the main deterent to this. However, where there is a will, there is a way - and these attacks do occur. Thus, to keep it as safe as possible, you need to ensure that no one else can view your login credentials - they need to be encrypted thus preventing anyone from eavesdropping on what you might be sending to your bank.
What Is SSL?SSL stands for Secure Sockets Layer, and here's how it works. Lets look at your banking sign-on again; before you enter your credentials, the bank's Web server will send you what is termed the "public key," which for all intents and purposes is basically a long string of gibberish to anyone who looks at it. When you submit your login credentials to the bank, the characters of your user credentials will be encrypted with this key, turning them into gibberish as well. That unscrupulous person who wants to see your banking login information will only be able to see the gibberish, but (and this is the important part) they won't be able to decode it to get your user name and password because they dont have what the bank has. The Bank's Web server has another key, what is known as the "private key," it doesn't show to you or anybody else. The bank's webserver uses this key to decrypt all of the information encrypted by the public key, turning your login credentials back into their original forms so that it can compare that against their records to validate them and log you in. As technology has advanced and standards have risen, SSL has since been upgraded and renamed TSL, for Transport Layer Security, but it's still basically the same thing. Brute Force AttacksNow, some of you are probably sitting back and thinking, my new computer is a lot faster than my old one - I'm sure I could try and break these codes. And yes, the continuing evolution of hardware has proven to be an issue for the SSL industry. However, even with the huge performance increrases in hardware, SSL/TLS encryption standards have evolved to meet, and exceed these gains in pure computational power, through the use of better algorithms, and longer key lengths. Look for HTTPSEvery Web page that uses SSL has a way to indicate the encryption of the page in the address bar. Instead of showing "http" at the beginning, it will say "https." The extra letter "s" stands for "secure." Additionally, most Web browsers will display a locked padlock of some form on HTTPS pages. Modern browsers have a third innovation which interacts with special SSL Certificates. For Websites which have gone through Extended Validation - a deeper examination of the website owner and status of the company, they will show a green address bar. You should always look for one or more of these signs before entering sensitive information on websites. If the address bar doesn't say "https," the website is missing the most basic and strongest security tools available, and you should think twice before trusting your personal information to that site. SSL/TLS isn't perfect, but it makes a big difference to securing your personal information. For Website OperatorsSSL/TLS service from your Web host may cost you a little extra money, however, if you will be collecting sensitive information from the visitors to your website, you need to use SSL/TLS to secure the collection of that information while it is in transit. It makes your website safer to interact with, which in turn makes it a more trustworthy place to do business, and that can lead to more sales. For sensitive information of any kind -- passwords, user names, credit card information, personal identifying information like home addresses and telephone numbers, confidential medical information and anything else your customers or clients would want to keep private use encryption. Set your site up to be accessed only from an SSL connection. |