SSL: Your Key to E-commerce Security

You are in the: Small Business Computing Channel

ť ECommerce-Guide | Small Business Computing | Webopedia | WinPlanet |Refer-It

Enter a word for a definition...	...or choose a computer category.

   Home
   Term of the Day
   New Terms
   Pronunciation
   New Links
   Quick Reference
   Did You Know?
   Categories
   Tech Support
   Technology Jobs
   About Us
   Link to Us
   Advertising

Become a Marketplace Partner

   Submit a URL
   Suggest a Term
   Report an Error

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Be a Commerce Partner

SSL: Your Key to E-commerce Security

The e-commerce business is all about making money and then finding ways to make more money. Of course, it's hard to make (more) money, when consumers don't feel safe executing a transaction on your Web site. That's where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock (more) money from your customers.
What is SSL?
Since its introduction in 1994, SSL has been the de facto standard for e-commerce transaction security, and it's likely to remain so well into the future.

SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information), which prevents the "bad guys" from stealing your information for malicious intent. You know that you're on an SSL protected page when the address begins with "https" and there is a padlock icon at the bottom of the page (and in the case of Mozilla Firefox in the address bar as well).

Your browser encrypts the data and sends to the receiving Web site using either 40-bit or 128-bit encryption. Your browser alone cannot secure the whole transaction and that's why it's incumbent upon e-commerce site builders to do their part.
SSL Certificates
At the other end of the equation, and of greatest importance to e-commerce site builders, is the SSL certificate. The SSL certificate sits on a secure server and is used to encrypt the data and to identify the Web site. The SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, the root and the country it was issued in.

SSL certificates come in 40-bit and 128-bit varieties, though 40-bit encryption has been hacked. As such, you definitely should be looking at getting a 128-bit certificate.

Though there a wide variety of ways in which you could potentially acquire a 128-bit certificate, there is one key element that is often overlooked in order for full two-way 128-bit encryption to occur. According to SSL certificate vendor VeriSign, in order to have 128-bit encryption you need a certificate that has SGC (server grade cryptography) capabilities.
Key Terms To Understanding SSL
SSL
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection.

digital certificate
An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.

encryption
The translation of data into a secret code. Encryption is the most effective way to achieve data security.

DRM
Short for digital rights management, a system for protecting the copyrights of data circulated via the Internet or other digital media by enabling secure distribution and/or disabling illegal distribution of the data.

How to Get an SSL Certificate ... The Wrong Way
There are two principal ways of getting an SSL certificate: you can either buy one from a certificate vendor or you can "self-sign" your own certificate. That is, using any number of different tools (both open source and proprietary) you can actually sign your own SSL certificate and save the time and expense of going through a certificate vendor.

Technically speaking, the data may be encrypted, but there still is a fundamental problem with self-signing that defeats part of the purpose of having an SSL certificate in the first place. Self-signing a certificate is like issuing yourself a driver's license. Roads are safer because governments issue licenses. Making sure those roads are safe is the role of the certificate authorities. Certificate authorities make sure the site is legitimate.

Self-Signed certificates will trigger a warning window in most browser configurations that will indicate that the certificate was not recognized. VeriSign admits that there are a lot of people that will click through anyway just like there are a lot of people that will click through an expired SSL certificate as well.

A site that conveys trust is also more likely to be a site that makes (more) money. There is research that suggests that having a recognizable SSL certificate may, in fact, have a direct correlation to increased e-commerce sales. VeriSign, in particular, has done some research that shows that users who visit sites that have a recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable shopping on those sites and have fewer abandoned shopping carts and better repeat purchases.

Choosing an SSL Certificate Vendor
According to GeoTrust Lockhart there are several things that buyers should look for when purchasing a certificate:

Reputation and credibility of the CA (How long have they been in business? Do they have lots of customers?)

Ubiquity of the root (is it embedded in all of the popular browsers?)

Root is owned by the CA (and not chained to someone else's root)

Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if compromised, etc.)

Ease of acquiring the certificate

Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they delegate this to their resellers?)

Conclusion
You are who you say you are. You have nothing to hide and you are running a legitimate e-commerce business that you want consumers to trust and feel comfortable doing business with The SSL certificate system exists to help promote the security and integrity of e-commerce for everyone. In an era where phishing scams run rampant and trust is king, a proper SSL certificate may well be your key to e-commerce success.

Did You Know...
Ninety-three percent of online shoppers surveyed by VeriSign reported that they felt it important for an e-commerce site to include a trust mark of some kind on their site.

Adapted from E-commerce Guide.com
Sean Michael Kerner is a regular contributor to ECommerce-Guide.com.
Last updated: June 21, 2005

DRM Watch
Analysis of digital rights management technology.

GeoTrust Whitepaper (PDF)
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud.

VeriSign Research Paper (PDF)
VeriSign Secured Seal Research Review

VeriSign SSL Certificate Page
VeriSign offers Secure Site Services designed to apply encryption to e-commerce transactions and transmission of confidential information.

CAcert.org
A community non-profit Certificate Authority.

Do you have an interesting piece of computer-related trivia that you would like us to explore?
Tell us about it.

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks
Microsoft Article: HyperV-The Killer Feature in WinServer 08 Avaya Article: How to Feed Data into the Avaya Event Processor Microsoft Article: Install What You Need with Win Server 08 HP eBook: Putting the Green into IT Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1 Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency		Avaya Article: Setting Up a SIP A/S Development Environment IBM Article: How Cool Is Your Data Center? Microsoft Article: Managing Virtual Machines with Microsoft System Center HP eBook: Storage Networking , Part 1 Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
Intel Video: Are Multi-core Processors Here to Stay? On-Demand Webcast: Five Virtualization Trends to Watch HP Video: Page Cost Calculator Intel Video: APIs for Parallel Programming		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2 MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
Sun Download: Solaris 8 Migration Assistant Sybase Download: SQL Anywhere Developer Edition Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook		Red Gate Download: SQL Compare Pro 6 Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors IBM Article: Collaborating in the High-Performance Workplace HP Demo: StorageWorks EVA4400		Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class Microsoft How-to Article: Get Going with Silverlight and Windows Live MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES