Understanding Web Site Security By Joel Rydbeck
ave you ever wondered what makes a Web site secure? What does the lock in the bottom corner of the screen mean? Why does Web site security matter?
When surfing the Internet, we occasionally receive messages delivered in "popup windows" that tell us whether Web sites are secure. The terms used to relay this information are usually pretty technical, and they don't mean much to most people.
For example, do you know what "HTTPS," "SSL," "Secure HTML" and "128-bit encryption" really mean?
To translate, all of the terms I listed convey roughly the same thing: Data are being encrypted for security purposes. For simplicity, I'll use the term "Secure HTML" as I describe what actually happens in this process.
The idea behind secure HTML is to ensure that the data passing between your computer and a Web site are completely secure. Secure HTML ensures that only the company with which you intend to communicate receives and views the data you send. This technology also ensures that the information you view comes from the company and not some imposter or hacker. How does secure HTML work? Basically two technologies are at play: digital certificates and encryption.
Digital Certificates
Companies obtain digital certificates to demonstrate that they really are who they say they are. Digital signing authorities, such as VeriSign Inc., an Internet and telecommunications service provider, issue and digitally sign certificates for online businesses.
The certificates are then tied to a company's domain name. For example, Bank of America Corp. (BofA) has a certificate that validates the bank on the Internet as https://www.bankofamerica.com .
Encryption
When you send information to a secure Web site, the data are encrypted. Wikipedia.com, a free online encyclopedia, defines encryption as "the process of obscuring information to make it unreadable without special knowledge."
For example, when the sentence "Your bank account balance is $434.56" is encrypted, it's turned into something illegible like "D*#$D^KtRU(*#JKE(EDJSSJS8za83."
The data encryption process makes it very difficult for hackers to see your account balance if they intercept the data en route to or from a bank's Web site. On the flip side, anything that is encrypted must also be "decrypted"; encryption allows both parties to decrypt the information sent and received.
Combining encryption with security certificates creates secure Web sites that not only secure data, but also certify that the data have come from the company you think they have come from. When I go to BofA's Web site to access my bank account, several things happen. First, my computer checks to make sure that the BofA Web site that I see is the bank's real site. It reviews the certificate received from the bank and sees that VeriSign has signed it.
The bank then sends my computer a digital signature to use when sending information. Both parties will encrypt all exchanges during the session with digital signatures.
How do you know this security is in place? Remember the lock I mentioned that appears in the bottom of your Web browser? This lock indicates that the communication between your browser and the site with which you exchange information is secure.
Certificates do expire, and the registering company (in this case BofA) needs to renew its certificate. If the company misses its renewal date, you'll occasionally see a popup that says "The certificate for this Web site is expired."
You might also see a popup that indicates a certificate doesn't match the Web site you have visited. Take note of these messages, and inform the Web sites. The information you send might not be going to the company to which you think it's going. When in doubt, remember that a Web site that displays the lock graphic in the bottom corner of your Web browser is providing a secure and safe exchange.
Joel Rydbeck, Chief Executive Officer of Nubrek Inc., brings his strong background in e-commerce and business process automation to the merchant services industry. Nubrek offers eISO, a software application that tracks clients and provides automated commission and residual calculations. For more information visit Rydbeck's blog: www.merchanttechnology.org, e-mail him at
joel@nubrek.com or call 877-390-1887.
|