SSL Certificates what you should know
The e-commerce business is all about making money and finding ways to make more money. It’s hard to make (more) money, when consumers don’t feel safe executing a transaction on your Web site. That’s where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock (more) money from your customers.What is SSL?
Since its introduction in 1994, SSL has been the defacto standard for e-commerce transaction security and is likely to remain so into the future.
SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information) which prevents the “bad guys” from stealing your information for malicious intent. You know that you’re on an SSL protected page when the address begins with “https” and there is a padlock icon at the bottom of the page (and in the case of Mozilla Firefox in the address bar as well).
Your browser encrypts the data and sends to the receiving website using either 40-bit or 128-bit encryption. Your browser alone cannot secure the whole transaction and that’s why it’s incumbent upon e-commerce site builders to do their part.
SSL Certificates
Over a Trillion Times a Trillion Times Stronger
When an SSL handshake occurs between a client and server, a level of encryption is determined by the Web browser, the client computer operating system, and the SSL Certificate. Strong encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. That’s over a trillion times a trillion times stronger. At current computing speeds, a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate.
256-bit SSL EncryptionThe Advanced Encryption Standard (AES) enables 256-bit encryption, much stronger than 128-bit. If your server and your site visitor’s browser support 256-bit encryption, then all VeriSign SSL Certificates will deliver this higher level of protection.
How to Get an SSL Certificate The Wrong WayThere are two principal ways of getting an SSL certificate: you can either buy one from a certificate vendor or you can “self-sign” your own certificate. That is, using any number of different tools (both open source and proprietary) you can actually sign your own SSL certificate and save the time and expense of going through a certificate vendor.
Though, technically speaking, the data may be encrypted, there still is a fundamental problem with self-signing that defeats part of the purpose of having an SSL certificate in the first place.
“The problem is ‘how does the rest of ecosystem know the site is legitimate?'” explained VeriSign Kinzelberg. “Self-signing a certificate is like issuing yourself a driver’s license. Roads are safer because governments issue licenses.”
“We’re making sure that the roads are safe. This is the role of the certificate authorities. Certificate authorities make sure the site is legitimate,” he added.
Self-Signed certificates will trigger a warning window in most browser configurations that will indicate that the certificate was not recognized. VeriSign Kinzelberg admits that there are a lot of people that will click through anyway just like there are a lot of people that will click through an expired SSL certificate as well.
“We, as an industry, want to educate people that that’s the kind of thing they should not be doing. It’s not safe e-commerce activity,” Kinzelberg said.
A site that conveys trust is also more likely to be a site that makes (more) money.There is research that suggests that having a recognizable SSL certificate may in fact have a direct correlation to increased e-commerce sales. VeriSign in particular has done some research that shows that users who visit sites that have a recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable shopping on those sites, have fewer abandoned shopping carts and better repeat purchases.
Joan Lockhart, VP of Marketing at SSL certificate vendor GeoTrust, argues that the price of an SSL certificate, from the least expensive provider to the most expensive provider, is a minuscule cost in the overall scheme of e-commerce. “The margin on a single transaction could pay for the cost of a certificate, so it’s not really about ROI,” Lockhart said. “It’s about conveying trust to your consumers.”
Choosing an SSL Certificate VendorAccording to GeoTrust Lockhart there are several things that buyers should look for when purchasing a certificate:
Reputation and credibility of the CA (Have they been in business for a while? Do they have lots of customers?)
Ubiquity of the root (is it embedded in all of the popular browsers?)
Root is owned by the CA (and not chained to someone else’s root)
Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if compromised, etc.)
Ease of acquiring the certificate
Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they delegate this to their resellers?)
You are who you say you are. You have nothing to hide and you are running a legitimate e-commerce business that you want consumers to feel comfortable doing business with and trust. The SSL certificate system exists to help promote the security and integrity of e-commerce for everyone.
In an era where phishing scams run rampant and trust is king, a proper SSL certificate may well be your key to e-commerce success.
Web development takes into account many security considerations, such as data entry error checking through forms, filtering output, and encryption.[2] Malicious practices such as SQL injection can be executed by users with ill intent yet with only primitive knowledge of web development as a whole. Scripts can be exploited to grant unauthorized access to malicious users trying to collect information such as email addresses, passwords and protected content like credit card numbers.
Some of this is dependent on the server environment (most commonly Apache or Microsoft IIS) on which the scripting language, such as PHP, Ruby, Python, Perl or ASP is running, and therefore is not necessarily down to the web developer themselves to maintain. However, stringent testing of web applications before public release is encouraged to prevent such exploits from occurring.
Keeping a web server safe from intrusion is often called Server Port Hardening. Many technologies come into play when keeping information on the internet safe when it is transmitted from one location to another. For instance Secure Socket Layer Encryption (SSL) Certificates are issued by certificate authorities to help prevent internet fraud. Many developers often employ different forms of encryption when transmitting and storing sensitive information. A basic understanding of information technology security concerns is often part of a web developer’s knowledge.
Because new security holes are found in web applications even after testing and launch, security patch updates are frequent for widely used applications. It is often the job of web developers to keep applications up to date as security patches are released and new security concerns are discovered.