Monday, February 8, 2010

Protect Your Customers (and Your Company) with an SSL Certificate

by Amy Armitage

For most people, online security is a matter of remembering a few passwords and scanning for viruses. Most connections from a home computer to a Web server have no protection whatsoever, but there is one facet of the online experience that has always been security-conscious, and that's shopping ("e-commerce," if you prefer). E-commerce sites have an incentive to protect themselves, as well as their customers, so if you want to know about online security, they're a great place to start.

Today's e-commerce sites have, pretty much en masse, adopted Secure Sockets Layer (SSL) to protect both their customer's credit card data, as well as their own information. You can typically see when SSL is being used, as the URL will have an "s" added to the "http," yielding "https" before the "www" and/or the site's domain name. Most new browsers will also display a small lock icon somewhere in the active window, while some highlight the whole URL entry field (one with bright green) to indicate that an SSL connection is being made.

The SSL Certificate On the technology side, SSL is a way to create and maintain an encrypted connection between computers and Web servers. All the data going both directions across an SSL connection is encrypted, making it safe against casual (or amateur) sleuthing or snooping. Before such a connection can be made between a browser-equipped PC and a Web server, an SSL Certificate is necessary as it carries the information, in the form of "keys," to enable the special communication.

After obtaining and installing your SSL Certificate, you will be provided with two numbers, known as "keys." The first is the "private key" known only by your Web server, and the second is the "public key" that, theoretically at least, everyone can get. Computers that connect to your Web site (via your server, naturally) can send you messages that your public key encrypts, and your server decrypts them with the private one. The entire process is transparent to the users, as the Web server and the remote browser handle all the details automatically.

Both keys are needed, at the right points in the connection process, to ensure a secure, SSL-encrypted connection. Your public key is placed in a file called a "Certificate Signing Request," a simple data file with Web server information and the public key. The CSR is freely available to everyone, enabling worldwide connections to your site with SSL protection.

Consider it "value added" Even if you don't sell items on the Web, you may be obtaining customer information for other reasons, information that is sensitive and deserves protection. Of course, if you are doing sales, you have credit card numbers and bank routing information. Either way, you need an SSL Certificate. Even users who are not quite savvy enough to know what SSL stands for are learning what that extra "s" in the address field means, and know that the little lock icon means extra protection.

There is other information that is valuable to your firm, too, so if you provide network access or applications to your customers - thereby opening yourself up to snooping and such - you also need an SSL Certificate. What goes on between you and your customers, not to mention what is going on with your research and development, is nobody elses business, particularly your business competitors. If your firm has multiple locations, or employees who sign on to your system remotely, VPN (Virtual Private Network) software can protect you, but an SSL Certificate is often easier and less costly.

Putting it together SSL Certificates are handled as a part of the WWW infrastructure by "Certificate Authorities" that issue SSL Certificates to companies and organizations (actually, individuals can apply for them, too). When applying for one, you give domain name information, and for some levels of SSL Certificates you also give company information. The Certificate will have an expiration date and identifying information about the issuing Certificate Authority, which could even be your Internet Service Provider (ISP) act as Certificate Authorities - but it doesn't much matter, as an SSL Certificate can be issued to any domain, wherever it's hosted.

The simplest, most basic SSL Certificate is one that you can obtain with confirmation of only your domain name, and you can usually get this kind in a matter of minutes. The next level up requires company information, and sometimes information on company principals. Costs for SSL Certificates depend on a number of factors, such as the Certificate Authority, the type you want and whether you get it as part of a package deal. There are many ISPs and domain registrars providing all types of SSL Certificates, and customers connecting to your Web server won't know which type you have, although the data in your CSR will differ accordingly.

Besides the obvious reasons of safety and security, having an SSL Certificate makes an important statement to your customers. It means you take their business and their privacy seriously, that you care enough to go the extra mile and secure your site, your business - and your customer's business, too.

About the Author

Amy Armitage is the head of Business Development for Lunarpages. Lunarpages provides quality web hosting from their US-based hosting facility. They offer a wide-range of services from linux virtual private servers and managed solutions to shared and reseller hosting plans. Visit online for more information.