Believe it or not but Secure Sockets Layer is almost ten years old! Given the fact that most people have only discovered the Internet within the past five years, that says a lot. SSL is also the single-most widely used form of encryption in the world and hardly anyone realizes that it even exists. SSL is a stable and mature technology but that does not necessarily mean that it is the answer to all your e-commerce security problems.
In normal, non-secure Web connections, the Web server acts as sort of a vending machine because it can only handle one request at a time. After it gives you what you asked for, it stops. If you put a dollar in a vending machine for a 35 cent item, the vending machine won’t wait to see if you’re going to order something else to use up the money left over.
Nope, it returns your change and acts as if it has never dealt with you before. The same is true with basic Web transactions. After you pull up a page, the Web server severs the connection and it truly doesn’t know you anymore.
(That is, unless the Web server used “cookies” to keep track of you. But, that’s another subject altogether.)
When you communicate with a Web server you are relatively anonymous to it. A cookie stored on your computer will allow the Web server to track you, but the cookie doesn’t usually have any of your personal identification. To the Web server you are just a number, a date and time, and other miscellaneous information.
Because there is no personal information transferred between your computer and the Web server, you would think it would be difficult for someone to obtain that information. But, as I mentioned before, there are always bad guys out there who spend a lot of time trying to trick you. The Web is no different. There are scams and illegal activities on the Web that will either trick you into disclosing your personal information. The scams can be in the form of a Web site that is impersonating another Web site (referred to as phishing). There are sites that look like eBay, Amazon, or Paypal, but they’re not. At first glance these sites appear to be genuine because they look exactly like the real ones. Often the scammers are using these sites to trick you in to giving them your UserID and password. This has become such a big problem that many of the big e-commerce companies have had to create entire offices just to deal with cases of fraud.
There are other frauds that will hijack the connections between your machine and the Web server (which is a form of a man in the middle attack or MITM). These are very hard to spot because you, as the Web surfer, won’t notice anything wrong. The person hijacking the connection is hoping to be able to snag some of your personal information flowing across the link. Hijacking is possible because regular Web connections are not encrypted.
SSL was created to try to fix, or mitigate the problems of interception and impersonation. It accomplishes this through the exchange of keys and encryption of the connection. The first implementations of SSL were limited to 40-bit encryption but now most Web browsers are capable of handling 128-bit encryption.
Technical Stuff Sometimes an SSL certificate will issue error notices when you access a secure Web page. This happens when the site’s Web masters have made a mistake in the way they coded the HTML on that page or it means that page includes links to offsite images or text that are served over HTTP instead of HTTPS. This frequently causes much confusion with users. It doesn’t necessarily mean that the security has been breached; it just means that there is an error on the page somewhere.
A typical SSL connection
Before you can start an encrypted session with a Web server, there are a series of transactions and agreements that happen between your machine and the Web server, as shown in Figure 11-1. Most of the time this happens so quickly you don’t even realize that something different is going on. Here is an introduction on the exchanges between your machine and the Web server:
Your machine initiates the conversation by requesting a secure connection from a site that offers this service.
The Web server answers your request by sending its Digital Certificate (and associated public key) to your machine.
When your machine receives this information, your browser has a look at its internal information that it
holds about certificates and the issuers (Certificate Authorities) of Digital Certificates. Your browser compares the Digital Certificate it has received from the to this internal list and then decides whether or not that certificate is trustworthy.
If the browser decides the Digital Certificate is okay, then it computes a one-time key (a session key) and sends it back to the Web server. This session key is encrypted with the Web server’s public key.
After the Web server gets the encryption key, the encryption of the communications between the two machines begins. You will note that the next page that appears on your browser starts with https://
instead of the normal http://. Depending on the type of browser you have, the status bar will also display a small key or a small lock to indicate that the link is secure.
Figure 11-1: The exchange of communications for encrypted e-commerce transactions If there is a problem with the certificate from the server, your machine receives an alert such as the one shown in Figure 11-2.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Figure 11-2: An invalid SSL certificate alert.
This does not necessarily mean that the Web site is not to be trusted, it’s just that the certificate it sent is not on the list of trusted sites in your Web browser. This could be because the certificate was not issued and digitally signed by a mainstream provider of Digital Certificates — like Verisign and GTE CyberTrust, for example. It could also mean that the certificate is a fake and should not be trusted. It’s be up to you to do a little investigative work to see if you want to trust the veracity of the Web site and its associated Digital Certificates.
Rooting around your certificates
If you open your browser and go to the settings for Internet options, you’ll be able to find the area where the Digital Certificates are stored. In MS Internet Explorer, choose Tools>Internet Options and then Content tab. Midway down the window you’ll see a button that says Certificates. In other browsers, such as Netscape and Mozilla (which are essentially the same), the area where certificate information is stored is under the Preferences command and they are usually under the Privacy and Security section.
When you get to the Certificates dialog box, you’ll find a list of Trusted Root Certificate Authorities. These are the companies that have issued Digital Certificates to e-commerce companies.
Technical Stuff Not all companies that issue certificates will be listed in your browser’s Certificates section. The reason there are some companies listed and not others is that there are business relationships between the browser vendors and certain Certificate Authorities. Just because a Certificate Authority is included in the browser’s default list does not necessarily mean that their certificates should be trusted more than others. What it does mean is that if you have a problem with a certificate issued and signed by one of these Certificate Authorities, you will probably get more cooperation from them in resolving any problems. Why? Because their reputation and working relationship with the browser vendor could suffer if users are constantly having problems.
When you find the listing of Digital Certificates, you should go to the Certificate Authorities or Root Certificate area and examine the individual certificates. (It’s a different procedure for the different types of browsers.) When you open a certificate’s description, it will tell you what the certificate is used for. You’ll note that some of them will state that they are good for secure e-mail. That’s because browsers have e-mail programs built in. What you’ll be looking for are the Root Certificates that are used for Server Authentication. That means they are used to validate that SSL Digital Certificates. You also want to check the expiration date of the Root Certificates. If the Root Certificate has expired, you definitely should not trust any certificates coming from that company.
An example of the Certificates included with MS Explorer is shown in Figure 11-3. Note there is an area at the bottom that says Certificate Intended Purposes. This area tells you if the certificate can be used for secure e-mail, client authentication, server authentication, and so on. Some certificates are very limited in what they can be used for and others have a broad range of uses.
Figure 11-3: Root certificate uses and its expiration date.
The reputation of the companies that issue certificates is all important. It’s like trusting a bank. You want to make sure that they’ve been around for a long time, that they have good business practices, that they are likely to be around for a while, and that they are trustworthy. If you had a choice of two banks, where one was a big established name-brand and the other was located in a storage garage on the outskirts of town and handled its transactions out of a cardboard box, which would you be more likely to give your money to? (Hopefully that’s not really a difficult question!)
Likewise when dealing with e-commerce sites. Consider the two examples below:
You’re going to buy a diamond ring online. You go to the Web site of a famous jeweler in New York City. Their Digital Certificates are good (they were issued by a reputable company and they are they have not been revoked or expired) and are signed by the Root Certificate of a well-known, well-respected Certificate Authority. You find the diamond ring you want, you enter your credit card number on the Web site, and you get your authorization and receipt. If the ring doesn’t arrive the next day as promised, how much faith do you have that you will get either your ring or your money back?
1.
You’re going to buy a diamond ring online. You do an Internet search on “diamond rings” and pick a site at random from the search results. You check up on that company and find an address that places them in Outer Mongolia. You’re not sure if there is a real bricks-and-mortar office in Mongolia or if the address is just a mail drop. Their Digital Certificate has not been expired or revoked, but it’s been issued by a company called “Hal’s Discount Certificates” and there is no Root Certificate in your browser for that company. You check up on Hal’s Discount Certificates and discover that the mailing address is in Las Vegas. You order your ring anyway and enter your credit card number on the Web site. When your ring does not arrive the next day as promised, how confident are you that you will get your promised ring or your money back?
2.
Seems like an easy decision to make, right? Well, most of the problems you will run into will be a lot harder to resolve than the examples I have given. There will be a thousand shades of gray in the validity of the Digital Certificates or the Certificate Authorities’ Root Certificates. It will be entirely up to you to either place your trust in those sites and certificates or not.
When you are setting up your own SSL e-commerce system, you will need to make these important decisions, too. Is it This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
better to go with the quick and cheap certificates from an unknown Certificate Authority or is it better to bite the bullet, pay the big bucks, and go with the big-name Certificate Authorities? It’s an important decision, so make sure you have all the information.