Secure Socket Layer (SSL)

When sending confidential information over the Internet a login/password is not enough. Eavesdropping, data tampering, and message forgery are not only possible, they are common.

In today's ecommerce transactions security is a major concern. This issue is address by the TLS (Transport Layer Security - RFC4346) protocol, which provides a means of both authentication and encryption over the Internet. SSL (Secure Socket Layer) is, for most purposes, synonymous with TLS.

Establishing Trust

SSL enables setting up a secure connection between two points on the World Wide Web, but encryption, in itself, doesn't ensure the identity of the parties to each other. Some form of authentication has to take place to establish a trust relationship.

To illustrate, suppose somebody wants to purchase some books over the Internet. They first visit the website of a reputable online book seller and fill their virtual "shopping cart" with book titles. Up to this point there hasn't been a strong reason either to authenticate or encrypt the data stream between the coustomer (site visitor) and the book vendor. But when they proceed to the "check out" page, security becomes a concern. Is the customer willing to type in your credit card number at this point in time?

The question brings up the matter of trust. Do they trust the vendor? Do they trust that the website they are accessing actually belongs to that vendor, and not an impostor? Are they (both vendor and customer) sure that a third party is not going to get hold of credit card number or other personal data?

Digital Certificates

Trusting the vendor is not something that can come from using encryption alone. it has to be decided based on reputation and other factors. But ensuring that the website is not a forgery is the role of the "digital certificate". For a certificate to be trustworthy, it has to be issued by a trusted entity. It all sound like a chicken and egg problem but today's web browser the ability to check certificate validity with the major "certificate signing authorities". In other words, when you visit an SSL website, your web browser attempts to authenticate the certificate of the website via the apropriate certificate signing authority. If the certificate was not issued by a known signing authority, your web browser will inform you of that fact.

It is not necessary for the certificate to be recognized for an encrypted session to be established. It all comes down to a matter of trust. If the visitor is confident that they are really connected to the server in question then they may also trust the certificate, either for the current session only or until the certificate expires.

Secure Session

Once the digital certificate has been accepted a secure session can be established between the web server and web browser. The browser indicates the existence of an SSL session, usually by displaying an icon of a locked padlock. The browser also provides a means of checking the level of encryption used. Over the years the level of encryption has gone from 40-bit, to 128-bit and now to 256-bits.

In common usage, this "trust relationship" has only been established in one direction. That is, the server has been authenticated to the visitor but the visitor has not been authenticated. The SSL specification does, however, allow for certificates to be passed in both directions.

In most cases visitor authentication will be via a login with a user ID and password. Sending this user/password data is not considered a security risk because the session is already encrypted via the current SSL session. Once the server software has accepted your User ID and password as valid, the trust relationship is mutual, although only one direction will be via SSL.

Does My Website Need SSL?

If your website is used for ecommerce then you probably need SSL. At the very least, you will want to protect customer data from prying eyes. If you are accepting credit card payments, then you will definitely need SSL, unless your credit card processor handles the transaction processing. In that case the secure session will be between your customer and the transaction processor's website.

There are many reasons to have SSL capability on your website. Ensuring that your visitor's user ID and password and not sent "clear text" is a good reason. But in the final analysis, it all comes down to risk management. In most cases the operator of a blog or BBS won't bother with encrypting login and password information because the consequences of that information getting leaked are not that severe. And since there is nothing much of monetary value being transmitted, there aren't any compelling reasons for a would-be hacker to bother with such sites. Again, it all comes down to managing your risk.

So, How Do I Get Set Up for SSL?

To get a website set up with SSL requires the site to have its own IP address and a Digital Certificate.

Hosting accounts normally share an IP address with other accounts on the same server. To get your own IP address at Hardfocus, you need to upgrade your account to one of the ecommerce packages which includes a dedicated IP address.

Getting a digital certificate is straight forward. There are factors which determine the cost involved. To a certain extent, the reputation or brand recognition of the signing authority will add to the price. Another cost factor is the degree of authentication that the signing authority has gone through to establish the identity of your organization. You can purchase a digital certificate from a signing authority directly or as an ecommerce bundle from Hardfocus.

Once the certificate has been installed in your hosting account, you can start using SSL for all or parts of your website. Access to your site via SSL will be using the "https" prefix instead of the "http" prefix on your URL. Establishing which pages should and should not be SSL are based on both issues of security and performance. SSL pages put a heavier load on the server and the web browser, so SSL should only be used for pages or sections of your website that actually need encryption.

It Is even possible to "self sign" a certificate. That is, you can generate the certificate yourself and install it on your SSL hosting account. A self-signed certificate doesn't cost anything and may be good enough if you want to establish an encrypted session but don't have a need for a third party to "certify" the credibility of the website. Hardfocus actually self-signs the certificates used for SSL access to cPanel and webmail. Another example use is for a corporate website that is only accessed by its employees.

Self signed certificates will cause complaints from your browser software. This is for good reason. But that won't stop the certificate from being honoured by the web browser program if the visitor chooses to accept the certificate as valid. But if doubts are going to be raised about the authenticity of the website or the certificate, then getting a certificate from an established signing authority will give the site more credibility and trustworthiness.

Caveats

There are a few areas where security might still be compromised. For example:

Use of SSL to encrypt the transfer of form data without encrypting the login/password might allow the user ID and password to be intercepted. An impostor could then use that ID/password access that user's account information.

The user's computer might be infected with "spyware" that could intercept the transactions of the entire session.

These are just two examples to illustrate that there are still risks involved. If you are mandated with implementing the security for online transaction processing then you will need to familiarise yourself with all of the TLS/SSL best practises and carry out the appropriate audits to make sure that these practises are being followed properly.