We have warmed up to the ideas of banking and shopping online, partly because we understand the technology a little better and, partly because we tend to trust big institutions. But, mostly because more and more brave pioneers began using the new technology without being ateen or suffering other terrible consequences.
We can feel even better about trusting online banking and shopping if we better understand the Internet's definition of trust. On the Internet, trust is established by an organization's reputation but, more importantly by their web site's security certificate.
Do you remember Ralphie's Ovaltine secret decoder ring? He really, really, really had to have it so he could understand the secret radio message! Of course, Internet encryption is vastly more complex but the basic idea is the same.
HTTPS AND SSL
HTTP is the default protocol that your browser uses to communicate with web servers. You have probably seen a web address or URL (uniform resource locater) look like this: "http://www.southsidetech.com."
You do not have to type the http: // part because it is assumed. Your browser fills this part in for you automatically.
SSL stands for Secure Socket Layer, it does two things:
- Encrypts your data, which means no one can see what the website sends to your browser or what your browser sends to the website.
- It authenticates the web site. In other words it certifies that the web site is actually owned by the entity that claims to own it.
HTTPS is HTTP plus SSL. It means the web page at that address uses SSL to encrypt data and authenticate the website. Usually the link you use to get to a secured site is programmed with the https: // prefix. Otherwise, you would need to type this part of the address yourself because it is not the browsers default protocol.
When you see the little lock next to a web site's address in your browser's address bar, or you see "https" at the beginning of the address, this means that you are using encrypted communications.
A Certificate is a document that a website shows a browser to authenticate its identity. It "certifies" that the website is who it says it is. They are issued by a "Certificate Authority" (CA), a company who will verify for the browser that a particular website's certificate can be trusted. All web browsers (IE, Chrome, Firefox, etc.) come pre-loaded with security files for Certificate Permissions which opinion they will trust.
The website owner must generate a Certificate Signing Request and send it to a trusted CA. The CA then verifies the website's ownership and "signs" the security certificate. Once issued the web site owner installs the certificate on their web server. It includes owner information like organization name, address, etc. and public and private encryption keys.
Public and Private Keys
A private key is a secret password that the website it is known by only the website and the CA. This is how the CA can vouch for the website. …