SSL Certificates as a Protection Tool for Web Professionals

by Mark | Dec 20, 2016 | Web Security

As we all know, SSL certificates help protect the information transmitted between the web server and the client.  Given the increasing cyber security attacks (and associated media coverage), data breaches and theft of payment processing data, we thought it appropriate to remind readers of the importance of SSL certificates.

Vivek Ram is a Technical Blog Writer from Comodo. He writes about information security, focusing on web application security. He provided the following information we wanted to share with readers of our blog. Many thanks to Vivek for providing this article.

“As a small business owner or even the owner of a larger company or ecommerce site, cyber security news about a data breach in payment processing on a website may be just one of the things that keep you up at night.
The good news is that cyber security consultants and professionals can develop plans, run a network security audit and even develop a network security policy that is designed to keep this type of data safe from hackers and breaches.
However, there are also some very simple security measures that can be put in place to provide encryption security between the server and the browser. This is known as SSL or Secure Sockets Layer and it has been the technology in place to protect data transmitted online since its introduction in 1994.
Today, the use of the new version of SSL, Transport Layer Security or TLS, is based on the early SSL technology. Even through TLS is the correct name, most of the Certificate Authorities and IT professionals still refer to it as SSL.
To protect your website and the information transmitted between the web server and the client, SSL certificates provide authentication and encryption. To understand how this provides both customer and user protection as well as protects the site itself, consider the following essential features, factors and functions. ”

The Trust Factor

“When existing customers or new prospective customers arrive at your website, the first thing they will look at is the quality of the landing page. However, once they start adding items to their cart and going through the checkout process, most customers will have taken a glance up at the address bar or to the sides of the page.
What they are looking for is the universal sign of online security. This is the padlock in the address bar that indicates they are on a site using SSL technology. Now, there is also the full green address bar which signifies the use of an EV SSL or Extended Validation certificate. This is the highest level of validation possible through any CA and for any type of website. Most customers aren’t certain about how the technology works, but they do recognize the need to have that padlock and perhaps the green bar present.
Glancing to the side or the bottom of the page will confirm the use of a specific Certificate Authority (CA). All of the major CAs will have their own site seal. This is a graphic that is used to designate the security of the website and the use of a particular product by a particular CA.
With these things in place, your website will have a decrease in the amount of abandoned shopping carts, something that is common if the customer gets through the selection process and then realizes on the checkout page that the padlock or green bar isn’t present.
However, and even more importantly, it makes your website safe for your customers to use. This preserves the reputation of your website and your company.”

Full Encryption at 256 Bits

“The use of SSL/TLS certificates also provides full encryption at the industry standard 256 bits. This encryption and decryption are done through the use of a pair of keys. These two keys use Public Key Infrastructure or PKI to provide internet security protection for online data.
The public key is used to encrypt data between the browser and the server. The public key is available to all because it is public. However, it is only recognized by one unique private key.
The private key is located on the server that hosts the website. When data comes in encrypted by the public key, it is unreadable unless it is decrypted by the private key. This protects all data transmitted from the website including financial information, personal information or even general information.
The public and private key are actually a long string of what looks like random numbers. They are able to recognize each other through a complicated mathematical relationships that is never duplicated and is completely unique.
The 256 bit encryption is virtually impossible to hack or break, even with brute force types of hacking attempts. The level of encryption offered by SSL certificate technology has changed over time and will continue to evolve as computer systems advance.”

Validation and Verification Process

“To further provide complete protection to your website against spoof websites or fraudulent website trying to look like your site, the CAs have to follow a rigid and very complex process to verify and validate the application for any type of SSL certificate.
This is based on the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria and outlines what verifications must be completed for the various SSL certificates at the different validation levels.
As hackers or spoofing sites have to provide the necessary information and this has to match with records on file with a wide variety of databases and trusted sources, it makes it impossible for these criminals to be able to obtain an SSL certificate for those fraudulent sites. This not only protects your website but with the SSL certificate in place, it will also protect your customers.”