Security Tools

               

HTTPS Protocol

Data Encryption

Secure Socket Layer (SSL)

Website Privacy Policy

 

As discussed earlier the 3 main items a website uses for security are:

  • HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL)
  • Encryption
  • Secure Socket Layer (SSL)

What is HTTPS:?

HTTPS is short for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. SSL will be explained in greater detail later on this web page. HTTPS is a Web protocol that was developed by Netscape and is built into your web browser. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's Secure Socket Layer (SSL) as a sub layer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. You can also use a 128-bit key for extra security if needed. Many websites today use this 128-bit key.

For example, you would use software like Netscape or Internet Explorer to visit a Web site to view products online. When you're ready to order, you will be given a Web page order form with a Uniform Resource Locator (URL) that starts with https://. When you click "Send," to send the page back to the catalog retailer, your browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for you by your browser's HTTPS sub layer.

HTTPS and SSL support the use of what are called digital certificates from the server so that, if necessary, a user can authenticate the sender.

What is Data Encryption?

Data encryption is the conversion of data, using a mathematical algorithm, into a form that cannot be read by unauthorized users. Authorized users must be provided with a decryption key in order to unscramble the information. There are different strengths of data encryption, determined by the length (in bits) of the key used. In general, the longer the key, the stronger the encryption, the more secure the data. Most websites on the Internet today use 40-bit or 128-bit SSL encryption.

To implement encryption on a Web server a digital certificate is needed. A digital certificate is basically a bit of information that says that the Web server is trusted by an independent source known as a certificate authority. The certificate authority acts as a middleman that both computers trust. It confirms that each computer is in fact who it says it is, and then provides the public keys of each computer to the other.

A popular implementation of public-key encryption is the Secure Sockets Layer (SSL).**We will discuss later in greater detail.

As discussed earlier, look for the "s" after "http" in the address whenever you are about to enter sensitive information, such as a credit-card number, into a form on a Web site.

In your browser, you can tell when you are using a secure protocol in a couple of different ways. You will notice that the "http" in the address line is replaced with "https," and you should see a small padlock in the status bar at the bottom of the browser window.


The padlock symbol lets you know that you are using encryption.

Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetry. When two computers initiate a secure session, one computer creates a symmetric key and sends it to the other computer using public-key encryption. The two computers can then communicate using symmetric-key encryption. Once the session is finished, each computer discards the symmetric key used for that session. Any additional sessions require that a new symmetric key be created, and the process is repeated.

 

What is Secure Socket Layer (SSL) and how does it work?

As discussed earlier SSL is short for Secure Sockets Layer.

Processing transactions securely on the web means that we need to be able to transmit information between the web site and the customer in a manner that makes it difficult for other people to intercept and read. SSL takes care of this for us and it works through a combination of programs and encryption/decryption routines that exist on the web hosting computer and in browser programs (like Netscape and Internet Explorer).

SSL Overview from the Customer's Browser viewpoint

1. Browser checks the certificate to make sure that the site you are connecting to is the real site and not someone intercepting.


2. Determine encryption types that the browser and web site server can both use to understand each other.


3. Browser and Server send each other unique codes to use when scrambling or encrypting the information that will be sent.


4. The browser and Server start talking using the encryption, the web browser shows the encrypting icon, and web pages are processed secure.

Determine Secure Communication
Internet communication typically runs through multiple program layers on a server before getting to the requested data such as a web page or scripts.

The outer layer is the first to be hit by the request. This is the high level protocols such as HTTP (web server), IMAP (mail server), and FTP (file transfer).

Determining which outer layer protocol will handle the request depends on the type of request made by the client. This high level protocol then processes the request through the Secure Sockets Layer. If the request is for a non-secure connection it passes through to the TCP/IP layer and the server application or data.

If the client requested a secure connection the SSL layer initiates a handshake to begin the secure communication process. Depending on the SSL setup on the server, it may require that a secure connection be made before allowing communication to pass through to the TCP/IP layer in which case a non-secure request will send back an error asking for them to retry securely (or simply deny the non-secure connection).


The SSL Hand shake
The handshake is the most complicated phase in the process and though this example specifically uses HTTPS (web based security) the same items apply to other protocols.

The "handshake" syncs the server and the client up with the encryption methods and keys that will be used for the remainder of the communications. This is also where the server authentication is determined (and client authentication if required by the server).

Typically it is enough to know that server and client establish a secure connection but the following is a summary of what happens (again, using https and "web browser" as an example):


The customer's web browser sends the web site server its methods of encrypting data. This includes the encryption type, some random data that the encryption programs on both sides can use in the scrambling routines, and other SSL related data.

The server returns its own random data to be used for encryption as well as other SSL information including its SSL certificate with a long string of characters which is the public key.

The customer's browser checks the information it received and compares it to the domain it was trying to connect securely with. If the secure certificate information on the web site doesn't match the domain name then the browser will notify the customer that there is a problem. The certificate expiration date and valid certificate authority are also checked at this point.


Completing the SSL Hand Shake
The handshake finally creates the new key that the remainder of the connection will be using. The end product is then a transmission that is encrypted based on a calculated key that is based on a combination of verified certificates.

1. The browser now creates a "premaster secret" that will be used to encrypt the rest of the session. This is a random key that it encrypts using the agreed upon encryption method combined with the server's public key string that it received and sends the new encrypted secret string back to the server. If the server requires client authentication, it is done at this point but looking for a certificate on the client side rather than on the server side. Typically this is done in corporate environments.

2. With the new "premaster secret" string, both the browser and the web site server create a new "master secret" string and use it to create session keys (long strings of generated characters) that their encryption programs use for the rest of the session to scramble and descramble (or encrypt/decrypt) all transmissions for the rest of the session. With the Master Secret key in place, both sides are also able to verify that the data didn't change in route.

3. The browser now has the information it needs to establish secure communication and it sends a message to the server saying that it will start using the new session key.

4. The browser is now talking in the encrypted format and verifies to the web server that it is finished locking and securing its part of the session.

5. The web server then sends a message to the browser saying that it too will start using the new session key.

6. The web server is now talking in the encrypted format and verifies to the browser that it is finished locking and securing its part of the session. The remainder of the SSL session gets processed between the browser and the web server using the agreed upon encryption with the master secret phrase as the key.

Now that I have explained how the main security tools are used let me introduce some other security items that are also used on the Internet today.

 

Website Privacy Policy:

If you are hosting an e-commerce website you must have a privacy policy and a usage policy for your site. These policies will state how you intend to use the personal information from product orders and other information you collect about your site visitors. This is a very important step to take and should not be taken lightly. When you write the policy make sure you follow it to the letter. Not doing so may put you in violation of the You can read the transcripts of a public workshop put on by the the FTC about the use of consumer data at the FTC Web site. There is also a lot of other good information there. You might also visit some well-known commerce sites and see how they've done their privacy statements.


Display the link to your Privacy Policy in a conspicuous spot on your home page and your ordering pages. Make the language easy to understand and clearly state how the information will be used. It is generally recommended to give the consumer the option of not sharing their personal information. If you are sharing the information, state with whom you will be sharing it.

Also include a statement in your privacy policy that explains to the user how you use such things like cookies, security details and customer information.