When it comes to accepting online payments and other sensitive
information over the web, normal HTTP just doesn't cut it.
It's an insecure method of communication where everything
is sent over the wire in cleartext - it's completely trivial
for anyone in a network administrator position at a business
or ISP to gain access to the network, and most networks are
even vulnerable to 'sniffing' by non-privileged users of the
Things are bad enough that you really shouldn't even transmit
any passwords without taking additional security measures,
unless the things the passwords give access to are entirely
trivial - put simply, as a webmaster, you need to be worried
about encryption and security. But how can you add them to
your website? Well, it's not as difficult as you think, because
there's a standardised way of doing it: SSL.
What is SSL?
SSL stands for Secure Sockets Layer. It is a method of using
cryptography to make sure that communication between a server
and a client is secure: in other words, data sent can't be
intercepted or tampered with in any way. SSL works using a
variety of encryption methods, but the most important feature
is that SSL certificates effectively certify that a site is
the real thing, which helps to prevent spoofing. When SSL
is combined with HTTP, it becomes HTTPS (Secure HTTP), a powerful
way for web browsers and web servers to send sensitive data
back and forward securely.
If all that was over your head, maybe I should put it to
you in the way that your customers will. SSL is what makes
their web browser come up with the little padlock symbol that
means your website is secure for them to enter sensitive information
into. If there's no padlock, they don't want to do business
However, you should also be aware of what SSL is not: it
isn't a complete security package. If you transmit data over
HTTPS and then store it in a database unencrypted when it
reaches your server, someone with access to the database will
still be able to easily retrieve the data. SSL is not the
answer to everything - it's simply a way of avoiding anything
happening to the data while it's 'out there', travelling across
the Internet. Of course, your customers are unlikely to realise
that (they think the padlock works like magic), but you at
Levels of Encryption
There are three main levels of SSL encryption: 40-bit, 128-bit
It's very important to emphasise at this point that 40-bit
SSL is now outdated and deprecated: you would be a fool to
use it. The only reason 40-bit encryption was available to
begin with was because the US government was initially afraid
of exporting cryptographic algorithms that were strong enough
to be used against them: 40-bit was strong enough for most
web uses, but still weak enough that they could break it by
brute force with their powerful computers. The US was persuaded
to relax the restrictions when the government realised that
they were doing nothing but forcing IT development to other
countries, but by then there had been widespread adoption
of 40-bit encryption.
Now, years later, there's really no reason to be using it.
You should go for 128-bit as a minimum, and preferably 256-bit
- what you can afford will likely be dictated by the value
of the goods you sell. If you think anyone is likely to try
to break your encryption, you should get the best you can.
How Do I Use SSL?
If your web host supports SSL, then it should already be all
set up for you (if you host your website yourself, then you
might like to take a look at the tutorials at modssl.org to
get it installed). However, before you can use SSL, you need
to get certified - that is, buy an SSL certificate from one
of the trusted certificate authorities. The big three are
VeriSign, GeoTrust and Thawte, but they charge relatively
The whole thing works more-or-less the same way as buying
a domain name, and, in fact, many domain registrars resell
certificates - you can often get a better deal from them than
you would from one of the big companies. You can often find
perfectly good certificates for as little as $30 per year,
if you shop around.
About the Author
Original Source: Eclipse-Articles.com
- Serving over 25,000 Articles. Information supplied and written
by Lee Asher of Eclipse Domain Services Domain Names, Hosting,
Traffic and Email Solutions.