Posted by ISTE Students Chapter MANIT | Monday, 13 June 2011 | 0 comments

Anurag Kumar 
Second Year
CSE
                                                              
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.
To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.
The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session - the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.



The following is a screen shot of a web page implementing the protocol using VeriSign.


The VeriSign logo can be seen on the right side bottom of the page. Also https is mentioned instead of http in the address bar. Clicking on the VeriSign Trusted icon displays information about the web site such as:

VeriSign logo

Another screen shot showing the result of clicking on the VeriSign logo.

Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (SHTTP). By convention, URLs that require an SSL connection start with https instead of http Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. Typically an SSL Certificate will contain the domain name, the company name, the address. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.  


What Happens When a Web Browser Connects to a Secure Web Site?
      This is in short how it works.
ü     A browser requests a secure page (usually https ://).
ü     The web server sends its public key with its certificate.
ü     The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
ü     The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
ü     The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
ü     The web server sends back the requested html document and http data encrypted with the symmetric key.
ü     The browser decrypts the http data and html document using the symmetric key and displays the information.

                                            
Why Encryption?
Encryption Protects Data during Transmission. Web servers and Web browsers rely on the Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities. That is why SSL Certificates feature a range of encryption levels such as "up to 256-bit". Strong encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. That's over a trillion times a trillion times stronger. At current computing speeds, a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate.

A basic example:
Hi, how are you?”  Can be encrypted as “?uyo ear who ,Hi”. Techniques can vary according to sensitivity of the information being transmitted.


So, in short SSL Encryption safe guards you and your information online. Thus it protects you from any frauds.


SSL, Trust and E-Commerce
When customers buy online, they trust that the company will protect their personal information and use it only as intended. Premium SSL Certificates and daily Web site malware scanning together help assure the customers that the site is safe from search to browse to buy.
ü     Concerns Keep Shoppers from Buying Online
Despite steady growth in e-commerce, concerns about fraud and identity theft continue to keep potential customers away. In the past two years, 62% of shoppers have become more concerned about their online security.
48%  have become more concerned about giving personal information online due to  fear of cybercriminals

36% are less likely to enter credit/debit card or bank account related information online because of concern that it will be intercepted and stolen.

Even though online retailers secure online transactions with encryption, 73% of consumers want more assurance that their information is secure. (Javelin Strategy and Research, March 2009)

ü     Shopping Cart Abandonment Reduced and Online Sales on the Rise
When Web site visitors see the SSL encryption enabled seal, they are less likely to abandon a transaction and more likely to do business with online. Case studies show a 10-36% increase in online transactions when such a logo/seal is displayed. In a recent study, 11% of respondents decided not to conduct business with the site because they did not see thesame.
  

Defensive Measures 
For the sake of convenience, many users will continue to use unsecured networks at cafes, libraries, airports and other public places for Internet access. Web site operators should safeguard their users’ data privacy regardless of the types of network users employ. By taking protective measures before a side jacking attack succeeds, companies can avoid losing customers and incurring crippling costs from litigation and redressing negative publicity. Organizations can help defend against side jacking attacks by enabling SSL protection throughout the entire user session for their customers, not just at login.

Leave a Reply