Is your customer’s financial data protected?
Before visitors to your website enter their personal or financial data at the checkout point they instinctively look up to the browser search box to see if it says: “https”. The average internet user understands that this means the site is secure.
Websites that display the “https” prefix generally use SSL Certificates. SSL is an acronym for Secure Sockets Layer, an internet communications protocol that encrypts data so that eavesdroppers are unable to “listen in” or otherwise gain unauthorized access to information during transmission. This way, the client-server interaction is kept private.
Just so you know, HTTP is itself an Internet protocol – The Hypertext Transfer Protocol. This is the main platform for information sharing on the World Wide Web (WWW).
A more recent protocol that functions like the SSL is the Transport Layer Security (TLS). According to Wikipedia, several versions of these protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
How it works
When we do routine browsing to view pages on the web, the browser will usually stay on http. Just before we start an ecommerce transaction, for instance, it quickly switches to https – its secure mode. This means that the client (your computer or browser) is under obligation to tell the server (the host computer) that it wants to make this secure connection.
The process kicks-off with a “handshake”. When two persons meet and shake hands, it usually takes place quickly and smoothly. This is because they both mutually know what to extend and for how long. Imagine how awkward it will be for the other party if one of them chooses to extend a foot instead!
During SSL communication, the client sends the server these key data: its own SSL version number, specific information relevant to this transaction, cipher settings, and other useful data. The server reciprocates by sending similar data from its end.
After a hand shake, two persons may exchange business cards. The server likewise sends the client its own unique certificate. Unlike the meeting between business persons, the server requests a certificate from the client, for the purpose of authentication. This is necessary because what the client is about to do is similar to cashing a cheque at the bank.
If the authentication process fails, the session ends.
If the authentication process turns out successful, the client generates the pre-master secret for this session, uses the server’s key to encrypt it, and then sends this encrypted secret message to the server. Along with this and its own certificate, the client sends a signed piece of data unique to this handshake session and confidential to both parties.
The server now uses its exclusive key to decrypt the message it received from the client. Both client and server then work together to create the master secret, which eventually gives birth to the session keys.
The client sends a secure message to the server stating that it will be using its session key for all transactions to follow, and that as far as it is concerned the handshake event is over. The server replies, stating that it will also be using its session key for the same purpose. It supports the motion to end handshaking at this point.
During the back and forth, the session keys validate the integrity of encrypted and decrypted data, making sure that there were no changes is transit.
Choosing an SSL Certificate service
Websites that offer the SSL secure internet connection service critical for financial transactions include GeoTrust, Go Daddy, RapidSSL, Symantec, and Thawte. Subscription prices range from as little as $12 to $400 per year.
As with any other product on the internet, some sites offer this service for free. Some will even urge you to generate an SSL certificate for yourself – at no cost. I would not advise a website owner who values customer data security to go with this option though. Self-signed certificates generally come from untrusted sources, making them unsuitable for secure data transmission between Internet clients and servers.