Knowledge Bank

Introduction

The concept of electronic retail, or ecommerce, has existed since the late 70's, but didn't become a practical reality until the mid90's.

In 1994, Netscape introduced Secure Socket Layer (SSL) encryption, making secure and safe online transactions possible. In 1995, Amazon.com was launched, and is largely credited with popularising the use of the internetbased retail. After a early stumble in 2000, when the dot.com bubble of the late 90's burst, the surviving retailers slowly rebuilt customer confidence in ecommerce, seeing it grow through the 00's to become a major retail business model.

On line spending has tripled since 2006 and is expected to be more than 10% of total retail spend by 2012, fuelled by a huge increase in the number of internet shoppers (http://www.internetretailing.net/2010/06/oneinevery10willbespentonlineby...). Currently around 28 million people regularly purchase from online retailers, and with UK online spending expected to reach £56 billion by 2014 (http://www.computing.co.uk/computing/news/2237553/onlinespendreach56bn2014), internet businesses have access to a rapidly increasing pool of potential customers.

And SSL encryption makes all of this online business possible.

What is SSL?

A potential customer is unlikely to purchase products from a web site if they have any doubts about its security or authenticity. Increased consumer awareness of hazards such as fraud and phishing sites, and the relative anonymity provided by the internet, will cause the wary customer to ask two key questions:

Who are you? How do you know a web site belongs to an actual business? How do you know the owner of the web site is who they claim to be?

Is anyone else listening? Is anyone eavesdropping on your communications? When buying a product or service, are your credit card details being intercepted by a thirdparty?

SSL encryption provides an answer to both questions by allowing web sites to be authenticated by a recognised thirdparty, known as a Certificate Authority (CA), and by providing a encrypted connection for secure data transmissions.

How do I know a site is secure?

Consumers will generally be looking for the two main 'trust indicators' displayed by sites secured by SSL. The site will be accessed using the https protocol (which connects on port 443, rather than the standard port 80 used by http), and display a padlock icon on the user's web browser.

Some will also cause the browser to display a green address bar, but we will look at this in more detail later.

How does SSL work?

SSL uses a system called public-key encryption (also referred to as asymmetric encryption). The ecommerce site has two keys – a public key and a private key. The public key is available for everyone to access, and can be used by a customer's web browser to encrypt data – such as credit card information or other purchase details.

However, only the private key can decrypt this data. The private key is kept securely on the web server that supplied the public key. The encrypted data is tunnelled over an http connection, to prevent it from being intercepted. Even if the data were intercepted it would essentially be useless, as it is estimated using currently technology it would take a trillion years for 128bit encryption to be broken without access to the corresponding private key. A difficult claim to prove, but it does illustrate the confidence that SSL encryption is as close to unbreakable as makes no difference. And, of course, there is also 256bit encryption too...

Once the web server receives the encrypted data, it can use the private key to decrypt it and then process the transaction details.

Site authentication is provided by a digital identity certificate (usually just referred to as an SSL certificate), which is digitally signed by a trusted Certificate Authority, such as Thawte, Verisign, InstantSSL, etc. Clicking on the padlock icon displayed in your web browser allows you to view the details of the certificate, but your browser will also usually display warnings if certificate details do not match, e.g. the name of the site does not match the name on the certificate, or if the certificate has expired.

How do I obtain an SSL certificate?

You first need to generate a Certificate Signing Request (CSR). This an application for a digital identity certificate that will be sent to a Certificate Authority for verification.

On a Linux server, a CSR is usually generated on the command line using the OpenSSL program. However, if you use a control panel such as cPanel, Webmin, Plesk, etc, you will probably use their webbased frontend to access this program. Windows servers generate CSRs through IIS (Internet Information Services).

Irrespective of what method is used to generate the CSR, you will be prompted to answer the same series of questions to complete the request (known as the X.509 attributes). Most of these are basic identification details, such as the company name and address details, plus a contact email address. The most important one, from a purely technical perspective, is the site's Common Name. This is the name of the site to be covered by the certificate, written as: Host + Domain Name, e.g. www.example.com or example.com.

Note: The certificate will only cover the Common Name specified. If the name given to the certificate is www.example.com, a warning will be issued if it is accessed at example.com or sales.example.com, as these do not match the certificate's name.

This process will create a public/private key pair. The private key should be stored securely somewhere on the server, as this will later be used for decryption. The public key, in the form of the Certificate Signing Request (e.g. mydomain.csr) will be sent to the Certificate Authority for verification.

The Certificate Authority will run a series of validation checks before issuing a certificate. The number and type of checks can vary, but with the most basic checks the CA will attempt to verify the existence of the business and the ownership of the domain name. This may involve contacting the business to request official documentation, such as articles of incorporation, registration of trade name, charter documents, etc.

Once the CA has successfully completed its authentication checks and is satisfied the business is legitimate and has authority to order certificates for the requested domain name, they will issue the certificate.

The certificate will then need to be installed on the web server – either through a webbased control panel, the command line or Internet Information Services (IIS) , depending upon the type of server being used.

Types of SSL certificates

There are several different types of SSL certificates. They all use the same basic encryption / authentication methods, but each serve slightly different functions.

The standard SSL certificate

This is the most basic type of certificate, which is discussed in the previous examples. It authenticates a single domain name, e.g. www.example.com or sales.example.com, and encrypts data transmissions using public / private key pair. Sites protected by this certificate display the two key trust indicators: connection using https and a padlock icon displayed in the browser. This type of certificate is ideal if you need to protect a single site or subdomain.

The self-signed SSL certificate

It is possible to generate and 'selfsign' a standard SSL certificate. These can be generated for free, and they still employ the same level of encryption as a standard certificate, but the digital identity certificate is signed by the web site / server owner, not by a recognised Certificate Authority. It basically constitutes a statement by the web site owner saying, I am who I say I am, with no external auditing or verification.

This type of certificate should only ever be used for testing purposes and for internal systems. It should never be used on 'live' sites, and any live site found to be 'selfsigned' should treated with considerable suspicion. Always remember to click the padlock icon and check who has verified the certificate!

The EV SSL certificate

The Extended Validation (EV) certificate is, in part, a response to some of the trust issues caused by selfsigned certificates. Most web browsers do not differentiate between lowvalidation (self-signed) certificates and those that have been rigorously vetted. Many phishing sites now employ SSL certificates to make them look legitimate, betting on the fact than many consumers will see the padlock icon and not bother to check who validated it.

Any business requesting an EV certificate will be subjected to much more rigorous and extensive testing by the Certificate Authority. A site protected by an EV certificate will display a green address bar, with a verification notice displayed clearly, stating the name of the web site and who has verified it. This highly visible confirmation of a site's legitimacy is intended to help restore consumer confidence.

This type of certificate should be used on sites selling high value goods, or those requiring high levels of authentication, such as banks or money transfer sites. Due to the additional validation required, an EV certificate will usually costs four or five times as much as a standard certificate.

The Wildcard certificate

This type of certificate allows you to protect an unlimited number of subdomains, for a specific domain, with a single certificate. For example, a standard certificate could be used to cover single domains or subdomains such as example.com or sales.example.com. A wildcard certificate can be used to cover any subdomain prefixing the main domain name – e.g. a wildcard certificate for example.com would also cover sales.example.com, login.example.com, secure.example.com and any other subdomain address you might want to use. In all other respects, this is exactly the same as a standard SSL certificate.

Wildcard certificates usually cost around four times as much as a standard certificate, so unless you need four or more subdomains to be secured, it's more economical to purchase individual standard certificates.

The multidomain certificate

As the name suggests, this type of certificate allows several domain names to be covered by a single certificate. The exact number of domains covered varies depending upon the licence, but upwards of 100 different domains and subdomains can be covered by this type of certificate. They are usually available as a standard or EV certificate and are very expensive – starting at around ten times the price of a standard certificate for a 3 domain EV certificate.

They are useful if you have several domains to secure, but you must know the names of the domains when purchasing the certificate. Additional domains cannot be added on later.

Conclusion

SSL certificates are an essential part of any online business. They ensure customer data is kept secure and validate the identity and legitimacy of an online business. Without SSL it would be difficult to know which websites to trust, making online retail next to impossible.

However, it is important that you consider the specific needs of your business and use an SSL certificate that is appropriate to these needs. Hopefully this guide has given you a better idea of how this pivotal element of ecommerce works, allowing you to make a more informed choice when choosing what type of SSL certificate you should purchase for your web site.