Ecommerce Security: SSL

In the early days of web browsing, no one worried much about the security of messages going back and forth. When e-commerce took off in the early part of the century and credit card transactions became the mainstay of funds transfer, electronic piracy became a real concern. Anticipating the need for security, Netscape developed an encryption system called SSL (secure sockets layer) in 1994. It’s now the standard for securing information that travels between clients and servers around the world.

SSL’s Challenge

SSL is a complex system of encryption and decryption. It relies on several components. First is a digital certificate that works much like an ID card. An e-commerce business has to register with a reputable agency that issues such certificates.

The second component is a key system. Encoding and decoding a message requires a solution key that’s used to translate the message into gibberish that others can’t read. The recipient also needs a key to find out what the message says.

The first challenge is to send the recipient a key to encode his message in a way that only you can read it. Clearly, if a thief is intercepting messages to steal information, he or she can steal the key in anticipation of decoding the secret information on the next pass.

The second challenge is to make sure that your customer is sending information to a legitimate business and not someone pretending to sell products while stealing their sensitive or financial information.

How SSL Works

SSL makes use of a system of keys and coded exchanges to ensure that transmissions are secure in both directions. The program generates private keys that are discarded after a single use, as well as public keys that are used to identify legitimate businesses.

To initiate SSL, an online business owner first registers for a digital certificate. When a user sees a security seal on your e-commerce web site, he or she can actually check your status with the certifying agency. When the customer initiates a transaction with you, your server starts an exchange of coded and double-coded messages making use of the public and private keys. This exchange, or “handshake,” takes care of three needs:

• The need to authenticate your identity as a legitimate business whose certificate information is on record and up to date.
• The need to send your private code that the client’s browser will use to encrypt his private information.
• The need to send the private key in such a way that it can’t be intercepted and used to decode the message that contains the information to be secured.

In order to use the SSL system, the business owner has to apply for certification. This involves submitting information that allows the certifying agency to verify your legitimacy. Usually, your articles of incorporation are sufficient documentation. An annual fee is assessed. Depending on the number o f e-commerce sites you have, the service can cost hundreds of dollars to thousands of dollars per year.

Once you’ve registered with an SSL vendor, you can install the system on your server. Users have access to the public key that starts the exchange of encrypted messages if they simply enable their browsers. SSL is compatible with most popular browsers and server brands. Users can tell that a secure transaction is taking place when they see a small padlock icon on the bottom bar of their browser window. They might also notice that the url prefix changes from http:// to https:// when they reach an SSL-enabled page.

SSL Keys

An encryption and decryption key is effective only insofar as it can’t easily be decoded. The earlier SSL keys were made up of 40 bits, meaning that 240 combinations of digits could be generated.

Since fast and efficient computers can generate and check the entire range of combinations in just one day, the key length now ranges from 128 to 256 bit lengths to make brute force decoding impossible.

SSL’s Limitations

Key length remains an issue as SSL becomes the standard for encryption throughout the world. While the US and other advanced nations routinely use 128 or 256 bit encryption keys, many developing nations are limited to 40 bit keys. As a result, the possibility of intercepting information and decoding it with brute force methods remains an issue.

Note that SSL does nothing to prevent the interception of messages: its job is to encrypt information so that if and when it’s intercepted, the contents are useless gibberish to anyone who doesn’t have the decoding key.

Another limitation to the system is user carelessness. As always, the human factor is a weak link in the system. While a transaction begins with the handshake that opens the way for key exchanges, the transaction is halted if the user’s browser doesn’t recognize a legitimate certificate.

The user sees a message indicating that the certificate wasn’t recognized or that it expired. If the user ignores the message and continues the transaction, he may be sending his private information to a cyberthief. Alhtough many users are cautious about using their credit cards online, an alarming number close a pop-up window without paying attention to the warning.

What You Can Do

Banking, e-commerce and other commercial sites that collect private information must urge their customers to be cautious about transmitting their data when certificates lack authentication or they’ve expired.

Some businesses design their own encoding system and display a seal on their sites that indicates that the site is secure. While this practice does away with the high cost of SSL’s digital certificates, it lulls users into thinking that their information is protected when, in fact, it might be quite easy for a hacker to decrypt.

Finally, many businesses store client information on their servers and take few precautions to protect their servers from hackers and other thieves. Recent news of a laptop computer theft that compromised the private information of many veterans is proof that even burglars are a threat to web commerce.

As a rule, vendors should protect their clients’ private information as they would want to be protected.