SSL Certificates
SECURE SOCKET LAYER & TRANSPORT LAYER SECURITY (SSL & TLS)
What is an SSL certificate?
SSL (and its successor, TLS) is a process that enables websites to exchange secure, encrypted information across the internet. The
encryption shields the information from being intelligible to anyone who might intercept it - like your credit card number when you buy
online, for example. It's the way you can make sure people trust your website.
The SSL certificate is a document installed on the secure website that allows the viewer's browser to authenticate the security. A process
then begins to encrypt any data exchanged. You know when you're visiting a secure website because the URL prefix is https://
instead of just http://.
Who needs an SSL certificate?
Anyone who sells goods or services online needs an SSL certificate installed on their site. If you expect people to send you
their credit card and personal details over the internet then you need to make sure they know they can trust you.
Who else? It could be good to have this installed if you have people updating any personal or confidential information over the internet, for example:
- A members' log-in area on your organisation site.
- A contacts database accessible to members online.
- Online submission of sales figures for a franchise company.
How do I get an SSL certificate?
The easiest way is to purchase one from an SSL provider (such as Rack Servers) and install it on your web server. And just like anything on the internet, there is a huge range to select from, priced from around $50 to $5,000 per year and with varying degrees of warranties and securities... so what are you really looking for?
Popular does usually mean secure
The popular SSL providers are popular because they have proven to be secure. This does not mean that newer or smaller SSL providers are less able to provide adequate security - it's just that most people are reluctant to experiment with this aspect of their web business. Larger companies are also able to offer larger insurance warranties which helps their reputation for delivery. The marketing spin is, how much are you prepared to pay for your client's security?
Expensive does not necessarily mean more secure
In fact, what does it mean to be more secure? Surely it's either secure, or it isn't... So why the immense difference in prices across providers?
It's really about how rigid the certification process is - that is, how much a company ensures the integrity of the website they sell certificates to. It's also
the insurance warranty figure they can offer in case your data is intercepted and somehow decrypted.
It's also about the reputation of the company providing the certificate - this is a big marketing strategy for larger SSL providers.
In reality, the mathematics behind the encryption means that even at low encryption rates, the time it would take for a hacker to try and
decrypt your information is many, many times the average human lifespan. So really the difference between companies is largely an emotional
satisfaction about the security of precious and personal information. Do most people know the difference between SSL providers? Not really, but
they will recognise the same names appearing time after time, as well as the providers that big sales companies such as Ebay and online department
stores use. The marketing is all about the impression of a guarantee of security, and this is what you're buying most of the time.
My recommendation is to spend a couple of hours comparing SSL providers and their products and notice how you feel about the different sites. Work
out a budget that you are happy to spend on data security and see what you can get for your dollar!
How do SSL certificates work?
It's all about really long prime numbers. We're talking about numbers that have between 40 and 256 digits in them (binary digits for math
nuts). There are two different prime numbers used:
- One number is called the public key.
- One number is called the private key.
Here's how it works. Say you want people to send you their personal information securely. You tell them your private key and they scramble
their information using the public key plus a special formula (or algorithm). They send you the scrambled information. You can then use your
private key, plus the special formula, to decrypt the information.
So you can see that there is still information being sent over the internet. What is there to stop someone from intercepting the data
and working out for themselves what the private key is?
In theory, nothing at all. In practice however, that's why really long prime numbers are used. Here is how long it would take
for a hacker today to work out the private key by trial and error, or brute force as it is called in the biz:
| No of digits | Time to decrypt by 'brute force' |
|---|---|
| 8 | 0 milliseconds |
| 40 | 0.015 milliseconds |
| 56 | 1 second |
| 64 | 4 minutes, 16 seconds |
| 128 | 149,745,258,842,898 years |
| 256 | 50,955,671,114,250,072,156,962,268,275,658,377,807,020,642,877,435,085 years |
So really the security is about the sheer number of combinations to guess. Experts suggest 128 bit security is
ample for about the next ten years, until computers get quick enough to make it possible to maybe crack some
codes. Many SSL providers now offer up to 256 bit certificates.
The SSL certificate that you install on your website contains not only your Public Key, but also a trusted Certificate Authority
for your client's web browser to check against (to make sure you are who you say you are, basically).
Conclusion
The reputation of the SSL Provider can increase client trust in your website, simply because not many people
realise how the encryption works.
To be almost-completely (nothing in life is certain...) secure for the next ten years get 128 bit encryption.
Do some research for the best deal for yourself and your clients' peace-of-mind.
Here at Rack Servers we recommend the following SSL Certificates:
Privacy Policy