Website security
When we transmit information across the
internet, we send it in plain format, but with
the right tools, it can be intercepted. Entering
a username and password onto a website
could also result in these (and any information
returned from the site itself) being intercepted.
To transmit the data securely, we use a
process called encryption: encoding at our
machine, transmission, and decoding a the
server. The server (eg, at Amazon) processes
the data, encodes it and transmits it to our
machine to decode it.
Always a but
However, we need a password or key so that
the process can work securely. This, as with
the very nature of the internet, raises more
problems. For example, our machine cannot
know, ahead of time, the sites we will visit or
the passwords we will need. We need a pair
of keys: one kept secret by the server and
one provided on request to your machine. The
pair of keys is used in encrypting/decrypting to
secure the transmitted data.
SSL
The Secure Socket Layer (SSL) certificate
is our (public) encryption password —
generating the certificate produces the
private certificate (key), followed by the public
certificate (key). These certificates are easy
to produce, but how do we determine that
the person we are exchanging data with is
who they say they are? Hence, the certificate
authority.
Certificate authorities are the companies
deemed trustworthy by your application: we
trust this company if it says they are who they
say they are. The application could be your
web browser, your email client, or even be
built into your operating system. While it is
possible to circumvent this process, using a
certificate authority introduces another step in
the certificate generation process.
After the private certificate is generated, a
request is sent to the certificate authority; they
respond by sending you a public certificate
(combining their key and yours) – allowing
your application to verify to some degree that
you are who you are supposed to be.
Levels of certificate
There are three, with incremental levels of
confidence to ensure that the website is
legitimate.
Domain Validation (DV)
When you register a domain (for example,
icestarmedia.com) you supply an email
address. A DV certificate emails the address
attached to the domain. A response to the
email is sufficient.
Organisation Validation (OV)
A physical address is held within the domain’s
details. This address must match the company
address registered at Companies House;
other countries have similar requirements.
Extended Validation (EV)
You also need a mix of other information (a
certified accountant’s letter, telephone number,
company utility bill, etc).
SSL Certificates and the Web
When we download a web page, we are
usually downloading many files consisting of
one central control file (the web page) and
one or more media and script files. These
additional files could be on different servers.
They can even be forced to encrypted/
unencrypted, which often triggers a warning
if we are visiting a site securely. The warning
is usually: Some elements on this page are
transmitted insecurely do you wish to display?
The problem is that scripts and images can
be used to ‘listen’ to data being sent into and
out of our web browser. If some of our data is
being sent insecurely, this data can be listened
to — a site is not really secure unless all
elements on it are secured.
What’s so special about the EV
certificate?
When everything is properly installed and
all the unsecured elements on a page are
corrected, an EV certificate triggers the
green bar in our web browser — usually the
background or to the left or right of the url bar
(where you type the website you wish to visit).
It is highly visible. It tells your visitors that all
elements on the page are secured and that
you have gone through a lengthy process to
identify yourself to a certificate authority.
Encryption v assurance
All three certificates provide the same level
of encryption, however, encryption is just the
start. Assurance that your site visitors are
actually visiting you, and that you have been
vetted as being a legitimate and registered
company gives visitors the confidence they
need to start entering their confidential data.
For anyone collecting personal or business
critical data on a website, an EV certificate
is definitely recommended. It provides the
assurance in a highly visible manner and also
gives you a gauge as to how well your website
developers are at putting your site together.
SSL certificates (and EV certificates) are a
very good start to website data security.
If you are collecting any sort of personal
or confidential data on your website, you
should certainly have the minimum of an EV
certificate.
(This article also features in the Hertfordshire Chamber of Commerce and Industry’s April-June 2012 Chamber Newsletter).
