Security and SSL Certificates

Many people understand that the little padlock icon in the status bar of their web browser means that they are using a secure website. But exactly what does 'secure' mean? In this article I'm going to cover some aspects of internet security that apply to both end users (customers of ecommerce websites) and also to online traders.

The scale of the problem

When any computer connected to the Internet talks to another computer, the data sent between them is very often not encrypted. Connections like these are said to be in the clear. Hackers are always inventing new ways to snoop into the conversations between computers connected to the internet, and if they were to gain access to an unencrypted connection, then it's easy for them to gain access to any sensitive data being exchanged.

It might surprise anyone who isn't technically minded to know that the following connections are generally unencrypted:

• Any website with a URL beginning with http:// - you will no doubt have connected to such websites many times, and all data sent back and forth is in the clear.
• FTP server connections to URLs beginning ftp:// are unencrypted. It is also interesting to note that most web developers - even those building secure websites for their clients - usually connect to the web server in order to upload their clients' websites using an unencrypted ftp session - which makes a complete mockery of securing your website with an SSL certificate, but that's another story.
• SMTP, POP3 and IMAP mail connections. You are almost certainly connecting to SMTP, POP3 and/or IMAP servers to collect and send your email without any encryption. With email, the problem goes further in that the email message itself, once it arrives safely on our mail server (or the mail server of any other ISP for that matter) is then sent to the destination server using unencrypted connections. The only way to fully protect your email is to actually encrypt the message itself. Various systems exist to allow you to do this, but it has never been made easy enough for the general population to use, and so email remains a totally insecure system.

The above types of connection probably account for more than 99% of all the traffic on the internet. Amazing, and yet nobody seems particularly worried, despite the huge security risks involved in sending passwords and other sensitive information by email!

All of the above services can be secured using something known as an SSL certificate. In fact, Ziphost offer POP3, SMTP, IMAP, Webmail and control panel access all via SSL secured connections. Please see our Basic Setting page for details of how to secure your mail connections. We also allow FTP connections to be made using SFTP - ensuring complete privacy.

What is an SSL certificate and how does it work

An SSL certificate is simply a small text file that is installed on our server to represent your website. It contains two important pieces of information, combined into an encrypted format:

• A public key - a cipher used to encrypt connections between the website and its users
• An electronic signature from a trusted third party (Comodo, Geotrust, Verisign etc) - this offers external validation that your website is indeed owned by you, and not someone else pretending to be you.

Encryption

The encryption of the conversation between the end-user's computer and the website is achieved using something called SSL (Secure Sockets Layer) or TLS (Transport Layer Security). This acts as a wrapper, which effectively encapsulates the insecure http session inside a secure one. When a web browser connects to a secure website with a https:// URL, the first thing the web browser does is download a special encryption key from the webserver that will form the basis for the secure connection. Suffice to say, it involves a lot of very complex mathematics, and the only people able to crack this encryption work for government agencies.

Is it necessary to encrypt every part of your website? No. Some people can be paranoid about even entering their name and address on an unencrypted web form. They probably never stop to think how many times they have probably sent this information by (insecure) email to friends and family. It is only really necessary to protect sensitive data - i.e. data you wouldn't send through the royal mail (credit card or other financial data, sensitive medical data etc).

External Validation

This is perhaps THE MOST IMPORTANT and most often overlooked reason for installing a SSL certificate on your web server. The organisations that sell SSL certificates are trusted globally to validate the identity of the organisations to whom they sell SSL certificates. The idea being that only the owner of the website being secured can purchase a SSL certificate for that website. This is because the organisations who issue the certificates check the ownership of the website, so that only the genuine business owner is able to obtain the SSL certificate for the websites they own.

SSL is no guarantee of security!

Just because a website has a https:// URL, and the little padlock symbol - don't sart feeling all warm and fuzzy just yet! Ask yourself the following questions:

• Do I trust this company? A secure website is no indication whatsoever that the company running it is actually trustworthy. How do you know that they don't print out your details in the office, and leave bits of paper lying around with credit card details on? It's not unheard of!
• Is my connection to the Internet secure? It is well known that even the latest EV SSL (Extended Validation) certificate protected sites (you can tell these, as your address bar turns green in Internet Explorer) are not invulnerable to Man-In-The-Middle (MITM) attacks. These are usually achieved in publicly accessible wireless hotspots, like cyber cafes, hotels, and other such areas. Always make sure you do ecommerce business on a connection that is less likely to be shared by hackers.
• Many SSL certificates are only Domain Validated. This means that only the domain owner is checked - and that might not be the owner of the business being represented on the domain's website. For example, it would technically be possible to buy a domain like hsbc-loans.com and create a secure website https://www.hsbc-loans.com and make it look like the well known bank's website. People might visit, thinking they are on the real HSBC website - after all, there would be a padlock symbol! Highly criminal, but this is the sort of thing hackers try to acheieve all of the time - ALWAYS check the URL of the website you connect to carefully to make sure the domain name is correct.