If you do any kind of eCommerce or collect personal information of any kind – even the most basic, such as names and email addresses – then securing data is important to you, and even more important to your website users. The data traveling across the Internet have to travel through a number of servers, and keeping information safe while it goes on its journey is one of the great challenges of internet-based businesses and interaction.
Security Solution – SSL Encryption!
SSL stands for Secure Sockets Layer. It is an industry standard for security that encrypts the personal data at one end using a public encryption key, and only the intended destination server, which validates the public key against the corresponding private key on the originating server, can decode the information once it arrives. In order to keep this virtual safe delivery, SSL requires a number of steps and the input of additional services.
When a user, referred to as the “relying party” in the PKI, visits a site protected by SSL, he or she will see that the protocol declaration in the address bar reads HTTPS. HTTPS, SSL, and TLS all describe the combination of the strong layer that allows encryption to be applied over HTTPS. In addition, there may be an indication in the browser itself: Chrome shows a green lock and Firefox shows a gray lock before the URL. When you click on these locks will provide more information about the certificate.
Once you have applied the certificate to your site, the relying party’s browser must verify the certificate. This is called the “SSL Handshake”. The key is exchanged, meaning that the relying party provides the Public Key and your server matches it to the Private Key. If it matches, the secure connection is established, and encrypted data can be transferred.
SSL Certificate Authorities (CA):
These steps and services are referred to, collectively, as the Public Key Infrastructure (PKI). The PKI consists of the issuing authority, also called the certifying authority (CA), the registering authority (RA), the certificate database, and the certificate store.
You must choose signed certificate from trusted Certificate Authorities like Comodo, Symantec, GlobalSign and other are reputed CAs. In order to get a certificate, you must verify your identity with the provider, and when it is issued, you must install it in a certificate store on your trusted server. Certificates are not free, and in addition, it requires stringent verification requirements – makes it difficult for the third person to get a counterfeit certificate. The CA must clear your application with a registering authority (RA). The RA can be the certifying authority, or the RA might be in a position to verify that a person requesting certification – is trustworthy. Some organizations issue their own domain level certificates (self-signed certificate) for internal use on their own devices and servers.
Audits and Records:
The high level of security depends on the trustworthiness of the issuing Certificate Authority and the integrity of the server. When the SSL certificate is issued to you, there are other certificates issued as well, like a root and intermediate certificate. This provides an additional layer of trust that the browser uses to verify that the certificate and its provider are SSL most compliant.
Due to the fraudulent certificate issuance by illegal persons or hackers, it is incumbent for CAs to keep an inventory of issuing certificates named certificate database. It tracks certificates requested, issued, and revoked. It is also important that the CA has a communication plan in place to inform certificate holders of any breach or compromise of security.
A requesting organization can do a number of things to mitigate the threat of a certificate breach by auditing their own systems, monitoring which ones require their own certificates and/or Public Key certificates, and tracking the security information for each system, including access control lists, trust anchors, and expiration dates of certificates.
Additional security can be added with HSTS (HTTP Strict Transport Security). HSTS is a standard in which an additional header is added. This header is ignored if the protocol is HTTP, but if HTTPS is called, the server reads the header before allowing the access to the relying party. If the security of the connection is not verifiable, the connection will not be made. HSTS demands an HTTPS connection, so adding HSTS means stripping attacks that turn HTTPS into HTTP are averted as well.
Different Types of Validation:
There are different types of certificates that provide different levels of security.
- Domain validated SSL certificates are generated in a few minutes as the CA only confirms the ownership of the domain.
- Organization validated SSL certificate, it can take from a few hours to several days as the CA needs to verify the relation between applicant and domain ownership as well verify the business existence.
- The EV (Extended Validation) SSL Certificate is extremely secure, requiring several types of authentication before the CA will issue it. You must verify that your organization is legally registered and active. You must provide a valid address and phone number. You must prove that your organization has exclusive rights to the domain in question and that the person ordering the certificate is authorized to do so.
Finally, the CA will verify that your organization is not on any government blacklists. A browser that is loading a page certified with an EV SSL Certificate will show additional visual cues, like turning type in the address bar green (Firefox), or adding a green block in the address bar (Chrome). EV certificates can take up to a couple of weeks.
The different certificates have different costs, and providers can charge as little as the US $10 or as much as the US $1200 for a one-year certificate. The time required to get a certificate varies as well, depending on the level of verification required.
Benefits of SSL Certificates:
- SSL certificate encrypts ongoing information to avoid third party interruption and saves your data from prying eyes.
- There is an SEO benefit in using SSL. Google has announced that they are going to consider the presence of SSL as a ranking signal.
- If you are accepting payments online, you need an SSL certificate to meet the standards defined by the Payment Card Industry for online transactions.
- CA will authenticate your business by following extended validation process and enable green address bar in the most browsers, so users can easily identify phishing sites.
- In addition to 256-bit encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server with strong encryption.
How to enable SSL on Server?
If you have installed SSL, the process for enabling it looks something like this:
- When you set up your server, or prior to applying for your certificate, you must make sure your WHOIS record is up to date and contains the correct list. This server will be your trusted server. (WHOIS is a server protocol that allows a query to identify a domain’s ownership and access.)
- The SSL application will prompt you for information about your website and your company and then it will create a Public Key and a Private Key.
- Next, you generate a Certificate Signing Request (CSR) on your server, which will include the verifying information such as the name and location of your company and the website domain, in addition to the Public Key. You then submit the CSR to the certificate issuing authority. The CA will use the CSR and a WHOIS query to validate your company and domain.
- Upon validation, the certificate will be issued. When you receive your SSL certificate, you will install it on your trusted server in a certificate store.
If the certificate is not valid, if it has been expired, or if it is suspected in any other way, the relying party will see alerts from the browser, saying that a certificate cannot be verified. This indicates an unverified certificate or the use of any self-signed certificate at all.
Many sites, of course, serve up unencrypted content as well as encrypted content. If you have any data still being delivered via HTTP rather than HTTPS, the user will get a warning (mixed content error), which can be needlessly alarming. Best practice when implementing SSL is to ensure that all your data is delivered via HTTPS, whether or not it is confidential.
There are a few things to be aware of when implementing SSL, but in the larger picture, SSL is the future of data security on the Internet, offering many benefits and options to keep your data and transactions secure. While Google has elevated SSL so that its presence even affects the ranking of search results. Given Google’s size and influence, SSL is and will continue to be the industry standard.