SSL Basics
for Internet Users
We know that there's a lot of techno-babble on these
security web sites with "public-key encryption" this and
"secure sockets" that. We've attempted to sort all that out
on this page so that even our mothers can understand this secure
stuff.
Let's start out with the question...
Should I really be concerned about Internet privacy?
You bet. The connection between you and any other
point on the Internet can be routed through dozens of independent systems,
any of which can easily be monitored. You should consider
non-encrypted e-mail, web browsing, chatting, and any other Internet use
about as private as yelling to someone across a crowded room.
What does SSL
mean to me, the average Internet user?
 When
you come across a web page that is secured, your browser will likely
display a 'closed lock' or other symbol to inform you that SSL has been
enabled. The web site address should also now start with
"https://" rather than the usual "http://".
In a nutshell, SSL allows a secure connection between
your web browser and a web server. This secure information 'tunnel'
was developed by Netscape Communications and was based on encryption
algorithms developed by RSA Security. SSL is being widely adopted by
numerous companies for other client/server uses other than web surfing.
Client? Server? Browser? Huh?
If some of these terms are already starting to look
foreign, try a website like Webopedia,
which has definitions for most everything here. Click this link to open a small Webopedia
companion window.
What do the letters SSL stand for again?
Secure Sockets Layer. But don't worry about
that...just keep thinking about that secure tunnel.
So who uses SSL today?
Most all web-based online purchases and monetary
transactions are now secured by SSL. When you submit your credit card to
purchase a compact disk from CDNOW, for example, the order form information
is sent through this secure tunnel so that only the folks at CDNOW can view
it.
You may also be familiar with online banking.
Financial institutions use SSL to secure the transmission of your PIN
number and other confidential account data.
Can anyone set up a secure web server?
As a consumer, you need to be aware that an SSL
connection does not ensure the integrity of the organization you are
sending your credit card information to. If you suspect a commercial web
site of misuse of your personal information or believe the site's operators
are engaged in illegal activities, your best course of action is to contact
law enforcement officials in your area, or the Better Business Bureau
Online at www.bbbonline.com.
Also note that SSL only protects the link between the
browser and server, but does not protect that data once it is collected by
the server. There have been numerous, widely publicized instances where a
web server's data storage was compromised and large amounts of credit card
and other personal data was stolen. Many web sites now post information
security and privacy policies to inform customers of the organization's
data handling procedures.
There are many web server/client products that support
SSL connections. To set up shop on the web, all one would need is
access to one of these servers, and to acquire a digital certificate to
enable SSL. For a list of some of these products, try the RSA Secured
Solutions Directory at http://www.rsasecured.com/.
Many Internet Service Providers (ISPs) offer SSL
transaction capabilities to online retailers.
I thought we weren't going to get too technical. Digital
certificate? What's that all about?
Well, think of the digital certificate as the key to
starting the SSL engine. Maybe more like a driver's license. It's
just an identification card that the server uses to prove that it is who it
says it is.
Digital Certificates are issued by Certificate
Authorities (CA). This is where it gets tricky, because anyone with
the right software can be a certificate authority, just like anyone can
make a piece of paper that says it's a driver's license. But just as
only the state government can issue a license that a police officer will
accept, there are certain trusted CA's that your web browser will accept
(such as VeriSign, Inc.). Of course, you can tell your web browser to
accept other CA's if you want to. In this case, you're the police officer
that's accepting these certificates, so you should accept certificates from
sources you trust.
Also note that, just like the SSL connection itself, a
digital certificate does not vouch for the integrity of the company it is
issued to. Be wary of who you send your credit card information to,
regardless of if the connection is secure or not.
So you mean that SSL has to have these 'digital certificates' in order
to function, and vice-versa?
Yes. Digital Certificates facilitate the public key
exchange that is required to enable an SSL connection.
While your digital certificate can be issued by any
Certificate Authority, most web browsers contain a list of trusted CAs,
such as VeriSign or Thawte. As an example, if someone
goes to your secured web site that has a certificate issued by "Slick
Rick's Speedy Certificate Authority", they will be asked if they wish
to accept that CA as valid. Not knowing who Slick Rick is, they may
decline.
Digital Certificates are not only used in SSL...they are
also used in other protocols such as S/MIME (Secure Multipurpose
Internet Mail Extensions) to secure e-mail exchanges.
What's the difference between a 40-bit SSL connection and a 128-bit SSL
connection?
Many banks require 128-bit encryption for online banking
because 40-bit encryption is considered to be relatively weak.
128-bits is about 309 septillion times (
309,485,000,000,000,000,000,000,000 ) larger than 40-bits.
Equated to the real world, sending information without
encryption is like sending a postcard through the mail - the contents are
visible to practically anyone who wants to see it. Using this
analogy, 40-bit encryption is like sending the information in an plain
white envelope. 56-bits could then be equated to using a security envelope
that is printed to prevent it from being see-through.
Relative to these strengths, 128-bit encryption could be
compared to encasing your data in a lead-lined, 12-inch thick titanium safe
that is being transported by an armored tank with a convoy of a hundred
armed guards. In other words, 128-bits is considerably more
secure than 40.
Is it true that 128-bit encryption can't be exported overseas?
Prior to January 2000, software products that contained
strong encryption strengths were considered a munition by the US Government
and in most cases were not able to be shipped or downloaded by anyone
overseas. Most web browsers were limited to 40 or 56-bit SSL encryption,
which we all now know is pretty weak, right? Multiple versions of many
software applications, including web browsers, were developed because of
these export limitations.
In January of 2000 many of these limitations were
lifted, and most companies can now ship full strength 128-bit versions
of their products worldwide (except to countries that the US has trade
policies against: Libya, Cuba, Iraq, etc.)
So how can I tell if my web browser has 128-bit encryption?
Most
newer browsers now support a variety of SSL bit strengths. This ensures
that the browsers are fully compatible with most all web servers and
digital certificates, which were also shipped worldwide at lower encryption
strengths.
If you have an older browser you downloaded without
filling out an brief residency confirmation form, you likely have the 40 or
56-bit version. Check your browser's encryption preferences to see
what strengths you have available. You can also try Fortify.net's
SSL test page for a readout of what strengths your browser supports.
If SSL is so cool, why isn't it "engaged" on a web site all
the time?
Because all information going back and fourth between the
client and server is being put through an encryption process instead of
being sent plain, the server and browser take longer to process this
data. The speed difference may not be noticeable on a single page,
but if all of a website's pages were encrypted, the server's performance
could be significantly reduced.
Some
web site administrators may set their servers to only require 40 or 56-bit
operations, which may be fine for less sensitive information. Most
financial institutions require 128-bit browser strength to ensure optimum
security.
If you have any other questions about SSL, or security in general, feel
free to drop a note to [email protected],
and we'll see what we can do to get it answered.
|