Website Security: Part 2
(This article also features in the Hertfordshire Chamber of Commerce and Industry’s April-June 2012 Chamber Newsletter).
When we transmit information across the internet, we send it in plain format, but with the right tools, it can be intercepted. Entering a username and password onto a website could also result in these (and any information returned from the site itself) being intercepted. To transmit the data securely, we use a process called encryption: encoding at our machine, transmission, and decoding a the server. The server (eg, at Amazon) processes the data, encodes it and transmits it to our machine to decode it.
Always a but
However, we need a password or key so that the process can work securely. This, as with the very nature of the internet, raises more problems. For example, our machine cannot know, ahead of time, the sites we will visit or the passwords we will need. We need a pair of keys: one kept secret by the server and one provided on request to your machine. The pair of keys is used in encrypting/decrypting to secure the transmitted data.
The Secure Socket Layer (SSL) certificate is our (public) encryption password – generating the certificate produces the private certificate (key), followed by the public certificate (key). These certificates are easy to produce, but how do we determine that the person we are exchanging data with is who they say they are? Hence, the certificate authority. Certificate authorities are the companies deemed trustworthy by your application: we trust this company if it says they are who they say they are. The application could be your web browser, your email client, or even be built into your operating system. While it is possible to circumvent this process, using a certificate authority introduces another step in the certificate generation process. After the private certificate is generated, a request is sent to the certificate authority; they respond by sending you a public certificate (combining their key and yours) – allowing your application to verify to some degree that you are who you are supposed to be.
Levels of certificate
There are three, with incremental levels of confidence to ensure that the website is legitimate. Domain Validation (DV) When you register a domain (for example, icestarmedia.com) you supply an email address. A DV certificate emails the address attached to the domain. A response to the email is sufficient. Organisation Validation (OV) A physical address is held within the domain’s details. This address must match the company address registered at Companies House; other countries have similar requirements. Extended Validation (EV) You also need a mix of other information (a certified accountant’s letter, telephone number, company utility bill, etc). SSL Certificates and the Web When we download a web page, we are usually downloading many files consisting of one central control file (the web page) and one or more media and script files. These additional files could be on different servers. They can even be forced to encrypted/ unencrypted, which often triggers a warning if we are visiting a site securely. The warning is usually: Some elements on this page are transmitted insecurely do you wish to display? The problem is that scripts and images can be used to “listen” to data being sent into and out of our web browser. If some of our data is being sent insecurely, this data can be listened to – a site is not really secure unless all elements on it are secured.
What’s so special about the EV certificate?
When everything is properly installed and all the unsecured elements on a page are correct, an EV certificate triggers the green bar in our web browser – usually the background or to the left or right of the URL bar (where you type the website you wish to visit). It is highly visible. It tells your visitors that all elements on the page are secured and that you have gone through a lengthy process to identify yourself to a certificate authority. Encryption v assurance All three certificates provide the same level of encryption, however, encryption is just the start. Assurance that your site visitors are actually visiting you, and that you have been vetted as being a legitimate and registered company gives visitors the confidence they need to start entering their confidential data. For anyone collecting personal or business-critical data on a website, an EV certificate is definitely recommended. It provides the assurance in a highly visible manner and also gives you a gauge as to how well your website developers are at putting your site together. SSL certificates (and EV certificates) are a very good start to website data security. If you are collecting any sort of personal or confidential data on your website, you should certainly have the minimum of an EV certificate.