There has been a massive increase in the volume and sophistication of malware and malware attacks detected recently. Two website security scenarios that give Heads of IT sleepless nights are hijacking of their business website and data theft. Users are particularly concerned about fake websites, particularly banking and other finance websites that require personal banking information, and sites that silently and automatically download malware to infect their PCs.
Online businesses relying on customer confidence in their sites must be able to create a trusted environment where customers making online payments feel able to pass over confidential information when making purchases or carrying out financial transactions.
Another area of concern has been the interception of data in flight between sites. If that data is in open code, not encrypted, then there is the potential for sensitive information such as passwords being hacked.
The response by the online community has been in the use of encrypted connections using the industry standard Secure Sockets Layer (“SSL”) technology. You may have seen this connection option when setting up an email connection in an email client. Browsers tend to apply SSL connectivity behind the scenes. You notice SSL because it is usually https:// not http:// in the website URL, and a small padlock appears on the address bar.
SSL has been applied as a general server connection method, being used for email servers, ftp servers among others, in addition to web servers.
What must be understood, is that SSL only protects against other websites hijacking your server address and delivering users to another site claiming to be yours. It prevents data theft by encrypting communications between your business website and the client. It is a part of a website security programme not a complete malware protection solution.
It does not protect against malicious actions after a client is legitimately connected to your site. You need a properly configured secure site and other malware protection tools for that scenario.
However, having said that, the website security of your business website needs SSL, if only to reassure potential customers that they can carry out payments and financial transactions in safety.
What is SSL and how does it work?
The most common type of SSL implementation is where a server and a client exchange information that identifies that the server is who it claims to be, and thereafter establishes a unique encryption session between the site and client. Client, because this technique applies to more than browsers. Email and FTP sessions use SSL, as do remote maintenance applications like TeamViewer.
SSL is based around the concept of a key pair, a public and private key, usually described as asymmetric cryptography. Public keys are readily available to encrypt a message, but the private key, used to decrypt it is known only to the owner. Therefore, in an ideal world, anyone can encrypt, but only the private keyholder can decrypt. To ensure that the encryption and identification information has not been compromised, it is held by a third party, a certified certificate authority (“CCA”).
A current problem is that of verifying the authenticity of a public key. This is currently addressed by a CCA digitally signing the website certificate as being authentic. Not an entirely satisfactory solution, but the best there is right now.
The first step in implementing SSL security is for the server to create the SSL certificate and to lodge it with a CCA. The certificate uniquely identifies the server in a part called the “subject”. It also contains the key pair.
When the user links to the business website, the first step is establishing that the website is who it says it is. The client compares the website certificate with that held by the CCA. If there are differences, then progress to the site is blocked, or the user is given the opportunity to ignore the error and carry on anyway. One common error is for the certificate to have expired.
If this is your business website potential customers will be scared away, so make sure your certificates are always valid. There are various types of certificate, those for individual websites, and those for multiple websites.
Your business is therefore protected against false websites pretending to be your business website.
The next step is to establish a secure communications session between the client and the server. They exchange public keys and each uses the other’s public key to encrypt the information it sends. Incoming information is decrypted using the private key. This ensures that any information intercepted between the server and the client is encrypted and therefore unusable.
At this point, if all is in order, the session opens and the client is available to interact with the server.
The original question was to ask why SSL certificates are essential to a business website. They are essential to give customers the security of knowing that they are dealing with the correct entity and that their personal information is secure.