There is more to having a successful online business presence than just setting up a terrific looking website. In addition to having the products that customers want to buy and a great way to highlight them, the website also has to provide the visitor and potential buyer with a sense of security.
Providing data encryption and security is the role of SSL certificates. The SSL stands for Secure Sockets Layer and it is a universally accepted technology to allow the encryption of data between the web server and the browser, at least when it comes to websites. There are also other specialized types of SSL certificate products that protect emails, code signing and specialized communications between servers.
Protecting your customers and providing this type of cyber security to prevent a data breach from hackers intercepting personal and financial information provided on your website is critical. Not only do consumers look for the SSL/TLS certificate padlock and site seal logos, but they also will be warned by their browser with the unsecured site warning.
Without encryption, data sent between the web server and the client is similar to sending a postcard or an open envelope through the mail. There is no security and no protection and the information is readily available to anyone wanting to read it.
More importantly, it’s also possible to alter or steal that information, a critical concern when making an online purchase. The installation of an SSL certificate on the server that is valid for your website and accepted as trusted by browsers and devices eliminates this risk.
How it Works
There are two different but equally important components to any SSL certificate. This works independent of any anti-virus or firewall network security program but rather works at the website level.
To start the process to apply for an SSL certificate, it will be important to generate a Certificate Signing Request (CSR). This is done on the server associated with the website you wish to protect.
Using command line or through IIS or OpenSSL the CSR is generated from the server itself. You will need to input information in the appropriate areas including the Fully Qualified Domain Name (Common Name) for the site, the geographic location information as well as contact information. This will then be supplied to the CA with the online application for the SSL certificate.
At the same time as the server will also generate another file that contains the private key. This will always stay with you, do not share this file or leave it in an unsecured file or on a device where it can be accessed by unauthorized individuals. The private key is uniquely matched to the public key information that is provided to the CA with the CSR. This is all embedded.
Once you complete the online application from the CA and paste in the CSR into the appropriate area of the application, you will then be prompted to provide payment and other information. Within minutes you will receive the files to install on the server.
By installing the SSL certificate on the server and then binding the website, you set up a secure way to share encrypted information. You can also install the certificate on other servers if needed, just make sure you don’t need to purchase additional licenses.
Once installed, those public and private keys, along with the certificate itself, create the secure path for the data to travel.
When a customer lands on your site and tries to input information, the system recognizes the HPPTS designation or Hypertext Transfer Protocol Secure and goes to the website host (the server) to ask for a secure connection using SSL.
The server then sends back the information from the certificate which is verified with the root certificate (from the CA) embedded in the browser or device. When this matches, the SSL handshake is completed and the server and the client recognize each other as trusted. A set of session keys goes back and forth to share data.
The data the customer enters into the website to make a purchase, upload information or even just make a comment on a blog is then encrypted at 256 bits with the unique public key. This can only be decrypted with the unique private key that was generated and installed on the server at the same time as the SSL certificate.
The information reaching the private key is then decrypted safely. Remember, only the correct pairing of the private and public keys can complete this process, providing a complete level of security.
Sometimes, browsing the internet can result in warnings from the browser that the site is not secure. This can happen if that SSL handshake doesn’t work and there is a mismatch between names of websites, if a certificate has expired or if the certificate is not from a trusted source.
Not all of these warning indicate a site is unsafe or that it is a phishing website or has been hacked. However, these warnings will result in customers avoiding a website or simply moving on to the next company on the search results page. Having the correct protection on your site with a valid SSL/TLS product is always the best practice.
Natasha Miranda is a Technical Content Writer from Comodo, who writes blogs and articles on internet security. Her posts generally aim to create awareness about the virus, Endpoint protection, malware and firewall.