Introduction
Secure Sockets Layer (SSL) is the World Standard for Web Security. SSL technology confronts the potential problems of unauthorized viewing of confidential information, data manipulation, data hijacking, phishing, and other insidious Web site scams by encrypting sensitive data so that only authorized recipients can read it. In addition to preventing tampering with sensitive information, SSL helps provide your Web site’s users with the assurance of having accessed a valid Web site. Support for SSL is built into all major operating systems, Web applications, and server hardware—meaning that SSL’s powerful encryption technology helps provide your business with a system-wide, liability limiting security blanket for fortifying consumer confidence, boosting the percentage of completed transactions, and enriching the “bottom line.” Due to recent advances in SSL technology, there is a variety of different kinds of SSL. In this paper, we will discuss some of these advances to help you decide which would be best for your organization.
+ SSL Overview
SSL became the standard over a decade ago to ensure the privacy of online communications. A special data file called an SSL Certificate is created for a specific server in a specific domain for a specific entity. Similar to a passport or driver’s license, SSL Certificates are issued by trusted authorities such as VeriSign. Every entity that receives an SSL Certificate must pass some form of authentication that verifies it is who it says it is.
With the explosion of phishing and other fraudulent Web activity aimed at stealing people’s personal information, identity authentication is more important now than ever before. The level of identity authentication verified by an SSL Certificate differs from one SSL Certificate to another, and from one Certification Authority (CA) to another.
With SSL, a private and public key system encrypts the connection between two parties, such as a consumer and a Web site bearing an SSL Certificate. When the consumer’s browser points to a Web site secured with SSL, a secure handshake between the two systems authenticates both parties. Each session uses a unique session key for encryption (the longer the key, the stronger the encryption). Once this connection is established the two parties can begin a secure session guaranteeing the privacy and integrity of their communications. This security is particularly important when people are sharing sensitive, confidential information over the Internet, an extranet, or even within an intranet. In the case of e-commerce, a secure SSL connection is critical to doing business, as most Internet users are afraid to share information with a Web site that doesn’t offer SSL protection.
A small purchase here, a smaller purchase there, and a reluctance to change age-old buying habits or reveal personally identifying information characterizes an enormous segment of the world’s viable online consumer population. The question remains: Will potential customers feel secure enough in their Internet dealings with your Web site to take a meaningful plunge into the world of transacting online?
+ Server Gated Cryptography: Enabling Strong Encryption for the Most Site Visitors
If your reputation in the online community depends upon the stringent safeguarding of information processed through your Web site, then your Internet security solution should include the strongest encryption available to each Web site visitor. Encryption, as mentioned above, is the process whereby data is transformed into a code that will be indecipherable to an unauthorized viewer. The stronger the encryption, the more difficult it is for someone to eavesdrop on your online communications. This is especially important if you accept any kind of online payments, connect to a bank or brokerage account, transmit health records, must meet a governmental or other regulatory organization’s privacy and security standards, or process any kind of potentially sensitive information.
Industry experts recommend a minimum of 128-bit encryption be used for all secure online sessions. Some Web server-client browser configurations enable sessions with up to 256-bit encryption protection, the strongest level of encryption commercially available today. The strength of encryption enabled for any session depends on what your customer’s browser and operating system support, as well as what your host server systems will support. If your consumer’s browser or operating system doesn’t support higher levels of encryption, the session will default down to the highest level that it can support.
