We have warmed up to the ideas of banking and shopping online, partly because we understand the technology a little better and, partly because we tend to trust big institutions. But, mostly because more and more brave pioneers began using the new technology without being eaten or suffering other terrible consequences.
We can feel even better about trusting online banking and shopping if we better understand the Internet’s definition of trust. On the Internet, trust is established by an organization’s reputation but, more importantly by their web site’s security certificate.
Do you remember Ralphie’s Ovaltine secret decoder ring? He really, really, really had to have it so he could understand the secret radio message! Of course, Internet encryption is vastly more complex but the basic idea is the same.
HTTPS AND SSL
HTTP is the default protocol that your browser uses to communicate with web servers. You have probably seen a web address or URL (uniform resource locater) look like this: “http://www.southsidetech.com.”
You don’t have to type the http:// part because it is assumed. Your browser fills this part in for you automatically.
SSL stands for Secure Socket Layer, it does two things:
- Encrypts your data, which means no one can see what the website sends to your browser or what your browser sends to the website.
- It authenticates the web site. In other words it certifies that the web site is actually owned by the entity that claims to own it.
HTTPS is HTTP plus SSL. It means the web page at that address uses SSL to encrypt data and authenticate the website. Usually the link you use to get to a secured site is programmed with the https:// prefix. Otherwise, you would need to type this part of the address yourself because it is not the browsers default protocol.
When you see the little lock next to a web site’s address in your browser’s address bar, or you see “https” at the beginning of the address, this means that you are using encrypted communications.
A Certificate is a document that a website shows a browser to authenticate its identity. It “certifies” that the website is who it says it is. They are issued by a “Certificate Authority” (CA), a company who will verify for the browser that a particular website’s certificate can be trusted. All web browsers (IE, Chrome, Firefox, etc.) come pre-loaded with security files for Certificate Authorities whose opinion they will trust.
The website owner must generate a Certificate Signing Request and send it to a trusted CA. The CA then verifies the website’s ownership and “signs” the security certificate. Once issued the web site owner installs the certificate on their web server. It includes owner information like organization name, address, etc. and public and private encryption keys.
Public and Private Keys
A private key is a secret password that the website it is known by only the website and the CA. This is how the CA can vouch for the website. When a web browser requests an encrypted page from the website, it can be certain the website belongs to who it says it belongs to. Otherwise an unscrupulous entity could pose as the site and fool you into revealing your logon credentials to the real site.
Included in the Certificate is a public key. It uses a different password for encryption. The private and public keys are unique to that Certificate. Data encrypted with the private key can only be decrypted with the public key, and vice versa. Only the private key can encrypt data for a particular public key. That is how you know the website is who it claims to be.
You can view information about a website’s certificate by either clicking on the little lock in your browser’s address bar, or clicking on the CA’s “seal” emblem usually located on the secured web page. Common CA seals will be from companies like Verisign, Thawte and GoDaddy. You can also see what Certificate Authorities your browser trusts by going to your browser’s settings, options or tools menu.
Technology can help us be more efficient and make our lives easier. I hope this will help you to better understand Internet security technology, the risks of using, and take away a little fear of the unknown.