Free eBook

SSL encryption for your website

Thursday, 16 September 2010 00:00

In all the years I have been involved with ecommerce, both as a merchant and as a consumer, SSL (Secure Sockets Layer) certificates have always been an area of contention for me. There are several myths about SSL and the golden padlock that need debunking.

When I talk to people about SSL certificates there are really two reasons people like them. The first reason is security. The point of the certificate is to encrypt data between the browser and the web server. There are several different levels of encryption with 128bit being the most popular.

The second reason is all to do with trust. If you have a golden padlock, or better a green bar in the browser, it implies trust. Web surfers all over the world have been trained to look for the padlock symbol, together with links to certificate authorities or impressive statements such as "secured by 128-bit encryption". It’s all part of winning the trust battle.

So with the scene set, here are my top SSL myths:

Myth 1. SSL certificates provide user security

Wrong. An SSL Certificate does not make a website secure. Remember that the whole point of a certificate is to ensure the data travelling between the browser and the server is protected. Once the data has arrived at its destination there is no knowing what happens. Contrary to popular belief, SSL does not safeguard the data when it is at rest.

The secondary role of SSL is to enable a website to prove that it is legitimate. It establishes that the site is who it claims to be, as it has to have been vetted by a Certificate Authority. The truth of the matter is there is very little vetting involved -- more in Myth 3.

Myth 2. SSL certificates are unbreakable

Wrong, SSL is very breakable. My favourite example of this was when a group of hackers broke the 128bit golden standard by using a bank of 200 PlayStations. These cybercriminals exploited a flaw in the MD5 algorithm used by most certificate authorities. This allowed the hackers to create and issue their own certificates.

There has also been a number of high profile “man in the middle” attacks, where a hacker sits between the web browser and the server intercepting the data. Even the new Extended Verification certificates (indicated by the green bar in the browser) are susceptible.

Myth 3. SSL proves a website is authentic

Correct, but do you or your visitors check? Having an SSL certificate means at some point someone has validated who you are. However there are many different types of SSL certificate ranging from those costing £20 a year, all the way up to hundreds of thousands. Not surprisingly, the amount of validation conducted varies with each certificate type.

Myth 4. SSL is all you need to accept credit card data

Wrong. SSL is perfectly acceptable for the encryption of credit card data, but it’s what happens next that's important. I have spoken to many merchants that naively believe SSL is enough. Remember SSL has nothing to do with securing the data once it’s on your server.

In fact, if you are storing card data yourself you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Becoming PCI compliant is a huge undertaking., so the simplest approach is to use a PCI-compliant Payment Service Provider (PSP) (like RBS WorldPay or Actinic Payments), and in that case an SSL certificate isn’t required.

Summary

SSL certificates have been with us for a long time, and they remain the best and most secure way to prove a site’s identity and encrypt data while on the move. However, security is more than these two points and for your customers’ sakes it’s important that you understand SSL and go beyond this basic start point.

The article was written by Ben Dyer of ecommerce supplier Actinic. Originally published on The IT Donut.