What is SSL?
Since its introduction in 1994, SSL has been the de facto standard
for e-commerce transaction security, and it's likely to remain so well
into the future.
SSL is all about encryption. SSL encrypts
data, like credit cards numbers (as well other personally identifiable
information), which prevents the "bad guys" from stealing your
information for malicious intent. You know that you're on an SSL
protected page when the address begins with "https" and there is a
padlock icon at the bottom of the page (and in the case of Mozilla
Firefox in the address bar as well).
Your browser encrypts the
data and sends to the receiving Web site using either 40-bit or 128-bit
encryption. Your browser alone cannot secure the whole transaction and
that's why it's incumbent upon e-commerce site builders to do their
part.
SSL Certificates
At the other end of the equation, and of greatest importance to
e-commerce site builders, is the SSL certificate. The SSL certificate
sits on a secure server and is used to encrypt the data and to identify
the Web site. The SSL certificate helps to prove the site belongs to who
it says it belongs to and contains information about the certificate
holder, the domain that the certificate was issued to, the name of the
Certificate Authority who issued the certificate, the root and the
country it was issued in.
SSL certificates come in 40-bit and
128-bit varieties, though 40-bit encryption has been hacked. As such,
you definitely should be looking at getting a 128-bit certificate.
Though there a wide variety of ways in which you could potentially
acquire a 128-bit certificate, there is one key element that is often
overlooked in order for full two-way 128-bit encryption to occur.
According to SSL certificate vendor VeriSign, in order to have 128-bit
encryption you need a certificate that has SGC (server grade
cryptography) capabilities.
How to Get an SSL Certificate ... The Wrong Way
There are two principal ways of getting an SSL certificate: you can
either buy one from a certificate vendor or you can "self-sign" your own
certificate. That is, using any number of different tools (both open
source and proprietary) you can actually sign your own SSL certificate
and save the time and expense of going through a certificate vendor.
Technically speaking, the data may be encrypted, but there still is a
fundamental problem with self-signing that defeats part of the purpose
of having an SSL certificate in the first place. Self-signing a
certificate is like issuing yourself a driver's license. Roads are safer
because governments issue licenses. Making sure those roads are safe is
the role of the certificate authorities. Certificate authorities make
sure the site is legitimate.
Self-Signed certificates will
trigger a warning window in most browser configurations that will
indicate that the certificate was not recognized. VeriSign admits that
there are a lot of people that will click through anyway just like there
are a lot of people that will click through an expired SSL certificate
as well.
A site that conveys trust is also more likely to be a
site that makes (more) money. There is research that suggests that
having a recognizable SSL certificate may, in fact, have a direct
correlation to increased e-commerce sales. VeriSign, in particular, has
done some research that shows that users who visit sites that have a
recognizable trust mark (like the VeriSign Secure Site seal) are more
comfortable shopping on those sites and have fewer abandoned shopping
carts and better repeat purchases.
Choosing an SSL Certificate Vendor
According to GeoTrust Lockhart there are several things that buyers should look for when purchasing a certificate:
- Reputation and credibility of the CA (How long have they been in business? Do they have lots of customers?)
- Ubiquity of the root (is it embedded in all of the popular browsers?)
- Root is owned by the CA (and not chained to someone else's root)
- Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if compromised, etc.)
- Ease of acquiring the certificate
- Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they delegate this to their resellers?)
Conclusion
You are who you say you are. You have nothing to hide and you are
running a legitimate e-commerce business that you want consumers to
trust and feel comfortable doing business with The SSL certificate
system exists to help promote the security and integrity of e-commerce
for everyone. In an era where phishing scams run rampant and trust is
king, a proper SSL certificate may well be your key to e-commerce
success.
Did You Know... Ninety-three percent of online
shoppers surveyed by VeriSign reported that they felt it important for
an e-commerce site to include a trust mark of some kind on their site.
Adapted from
E-commerce Guide.com Sean Michael Kerner is a regular contributor to ECommerce-Guide.com.
Key Terms To Understanding SSL
SSL Short
for Secure Sockets Layer, a protocol developed by Netscape for
transmitting private documents via the Internet. SSL works by using a
private key to encrypt data that's transferred over the SSL connection.
digital certificate
An attachment to an electronic message used for security purposes. The
most common use of a digital certificate is to verify that a user
sending a message is who he or she claims to be, and to provide the
receiver with the means to encode a reply.
encryption The translation of data into a secret code. Encryption is the most effective way to achieve data security.
DRM
Short for digital rights management, a system for protecting the
copyrights of data circulated via the Internet or other digital media by
enabling secure distribution and/or disabling illegal distribution of
the data.
Comments
Post a Comment