How do we keep our communication private?
I have a secret to tell. Lean in so I can whisper in your ear so no one else can hear …
We all have “secrets” that we communicate over the internet all the time. Credit Card numbers, passwords, social security numbers, and chat sessions are all examples. In today’s world, for the most part our secret communications are secure if you’re taking the right precautions. This wasn’t always the case.Now let’s go back. Way back in internet time to 1994.
Internet communication in 1994 was the equivalent of whispering a secret in someone’s ear only to realize that the whole room could overhear your conversation. Obviously this wasn’t ideal. Leading minds of the time knew this had to be fixed to facilitate the growth of the internet.
Netscape Communications dominated the internet world in 1994. Do you remember them? Their iconic, innovative web site browser controlled the market with an 80% plus share.
Netscape had a problem. Hackers could way too easily “listen” to communications via their browsers and over the internet. This issue was eroding the confidence of web surfers who were loathe to transact any type of commerce over the internet.
How could the hackers listen in? Well, let’s do a quick high-level review of how messages are sent over the internet.
Networks at the time were all connected together with wires. Every computer connected with a network’s wire has the ability to “hear” all communications on the wire. In the computer world, messages are packaged and addressed for individual computers but the address does not deter hackers from intercepting and reading the messages. In 1994’s world, an employee with little technology background could easily download software that would allow them to see what their co-workers were surfing on the web. Scary!
Networks including the internet are linked together through special computers called routers. Think of routers like the post office. A router’s responsibility is to listen to the networks it is attached to and send (or “route”) messages to the appropriate address or network location.
A message might be passed through several routers, or “post offices”, before it arrives at its final destination. Every computer in each of the “post offices” the message passes through has the ability to listen to the message.
Netscape recognized the importance of having private conversations on the Internet. They knew electronic commerce (or “ecommerce”) wasn’t possible if credit card numbers were not secure and would be exposed to eavesdropping technology nerds with potentially fraudulent intentions. Nobody would buy anything over the internet if it entailed doing the equivalent of shouting their credit card number in a crowded room of strangers.
Super Secret Decoder Rings
I love the classic movie “A Christmas Story”. Remember when 10 year old Ralph finally receives his “secret decoder pin” in the mail? The chocolate milk company decoder pin was a small round ring with numbers and letters printed on one side. Part of the ring could be rotated so that a series of numbers corresponded to different letters of the alphabet. The ring’s purpose was to give Ralph the ability to decode secret messages announced over the radio after one of his favorite shows. People listening to the show who did not have a decoder pin had no way of knowing what the series of numbers meant. To them, the message had no meaning at all, and until they got their own decoder pin, they would never know the meaning of those secret messages.
Netscape needed to invent the internet version of a “secret decoder ring”. Even more complicated, the new “ring” encryption needed to be at the individual level. Messages sent through the internet need to be encrypted so that only the intended final recipient of the message would be able to read it.
Netscape succeeded. They called their new personalized “secret decoder ring” … yep you guessed it … Secure Sockets Layer or SSL for short.
How does SSL work? Image everyone has two rings. The rings are a pair. One ring is a decoder ring, and the other is an encoder ring. Everything the encoder ring encrypts, the decoder ring knows how to unscramble so it can be read.
However, the decoder ring must be kept private. Nobody should have access to this private decoder ring. If it’s given to anyone but the owner, security is compromised.
Public encoder rings cannot decode what they have encoded, So, the encoder ring can be given to anybody. The person who has the private decoder ring is the only one who can understand the messages sent.
In this analogy we have been calling these things that encode and decode messages “rings”. In the Internet world “rings” are actually called “keys”. Keys also come in pairs. One key, the decoder, is a “private key”, and the encoder key is a “public key”.
Computer hardware needs computer software to tell it what to do. One way computers communicate on the internet is by using software called web browsers. Internet Explorer, Apple’s Safari, and Firefox are all samples of web browsers. However, a web browser on one computer doesn’t directly communicate with a web browser on another computer. A web server is the in the middle.
Web servers and browsers know how to use keys to encrypt and decrypt messages. When they begin a private conversation, they do what is called an SSL handshake. During this figurative handshake each application gives the other its public key, or encoder pin. Now the web browser knows how to encode messages so that only the web server can understand and vice-versa. Using the previous room example, a person is now able to speak freely in a crowded room, but only the person they are talking to understands what they are saying. The communication is sent into the public area where everyone can hear it, but the message sounds completely foreign to everyone except the person who can decode it.
Wow those Netscape engineers were smart!
But don’t pat those Netscape guys on the back just yet. There’s a piece of the puzzle missing, which Netscape soon realized. Can you guess what it is? I’ll give you a hint: at this point we have Secure Sockets Layer or SSL, but we don’t have SSL Certificates quite yet.
So what happens when the person who has your decoder ring can’t be trusted? That’s right, fraud can still occur.
Netscape soon recognized that many of the people participating in internet transactions could not be trusted, and that some sort of trust broker had to be built into the process. In other words, the people participating in the transaction had to either trust one another or rely on a separate 3rd party that both individuals trusted.
Let’s return to our room analogy for a moment. Imagine there is one person in the room we are talking in that we know is a trusted person. We have seen him, we have met him, and many people agree this person can be trusted. Now imagine this person has a sticker he can place on encoder rings. This person is willing to place his sticker on public encoder rings only after he knows who owns the encoder ring.
In this scenario, if people exchange public encoder rings with a mutually trusted 3rd party stamp, a level of trust is established. Both individuals recognize that a trusted third party has vouched for the other person.
In the Internet world, there are multiple trusted 3rd party “stampers”. They’re called “Certificate Authorities” or “CA" for short. You might not know who they are, but the company who created your web browser - Microsoft, Google, AOL, Apple, etc -has identified these trusted CAs in your web browser. Instead of placing a physical sticker on an encoder ring, these companies wrap their key around your public key in a process called "digitally signing" the key or “digital signature”. The result is called a “SSL certificate”, “SSL cert’ for short. Some people even call them “digital certificates”.
Your web browser knows if a web site’s public key has been signed by one of these certificate authorities. If not, the web browser warns the users that the site being viewed has not been verified by a trusted source.
What’s the difference between the signatures of the different CA companies? One word, trust. When you purchase a signed key, you are purchasing something called a certificate. In reality, the certificate is something many companies could generate. However, a CA company has built up a brand name. They’ve earned the trust of internet world over the course of time. Accordingly, a web browser won’t flash that dreaded warning when your site has a SSL certificate from one of the trusted CA’s.
What percent of browsers that recognize a CA’s certificate is called “browser recognition”. Most CA’s have browser recognition of 99% or greater. However, if you buy a no-name certificate, you may not get that needed trusted key on all browsers that visit your site. You may not be covered and subsequently trusted by all your site visitors.
There’s also different types of digital certificates. Read the blog what is an SSL Certificate to find out more, and read what SSL Certificate is best for your website to help figure out what digital cert to buy.
Hopefully this history lesson was helpful, and not as painful as sitting through a history class back in high school. Good luck!
How were SSL Certificates invented? What did Netscape have to do with it? SSL cert background and information. Learn more now ...
Here’s an easy analogy to remember what a Secure Sockets Layer (SSL) certificate is – think of a passport. An SSL certificate is the internet version of a passport for your website. You use your passport when you travel to a foreign country to authenticate your identity. Your website uses an SSL certificate to authenticate itself to visitors and their browsers (via a certificate authority site seal, SSL https url, web browser padlock, or green browser window - see picture sample below).
An SSL cert will also encrypt information that is shared between your site and your visitor. The information may be credit card numbers to facilitate a purchase. Or, it could be account information like passwords or personal information.
SSL certificates also go by the name of digital certificates. Some people call them “SSL Certs” or “digital Certs” for short.
Why do I need an SSL Certificate?
It seems like every day we hear about another new way thieves steal your identity or perform other types of internet fraud. Visitors to your site are wary of interacting with a site they do not trust. They don't want to fall victim to identity theft or a phishing scheme. The appropriate SSL certificate will help your website gain your visitor's trust. Your customers will be more confident in your website and will be more willing to complete a purchase, or share sensitive information. Hence, an SSL certificate will help raise your conversion rate, and make your website more effective.
Gartner Research has done a study that said that almost 70 percent of ecommerce shoppers have abandoned an order because they did not "trust" the transaction. Of the shoppers that abandoned their order, 64 percent said that the presence of an SSL Certificate on the website would most likely have prevented the abandoned shopping cart.
How does an SSL Certificate let my visitors know that my site is secure?
Once you have an SSL Certificate installed on the server that houses your website, your site will display three instantly recognizable symbols that let customers know your site is secure:
If you want your visitor's browser bar to turn green, you need to get a type of SSL Certificate called an Extended Validation certificate. This is the highest validation SSL Certificate level.
To figure out what type of SSL certificate is right for your website, read this blog.
What SSL Certificate is best for my website?
Before we dive into figuring out which website SSL certificate is best, lets first confirm that you do indeed need a digital certificate. VeriSign, one of the premier certificate authorities, suggests that you get an SSL cert if:
• You have an online store or accept online orders and credit cards.
Which Certificate is right for me?
While each Certificate Authority (CA) uses different product names, there are 4 main types of SSL certificates. Read the short descriptions to help decide which SSL certificate is best for your website.
Extended Validation SSL Certificate
•Verifies that your organization is legally registered and active.
Now that you know what SSL Certificate is best for your website, click to the page corresponding to the type of cert you need to find a Certificate Authority to buy your SSL Certificate from: Domain verification SSL Certs; Standard SSL Certs; Wildcard Certificate; and Extended Validation SSL.
SSL Certificate Terms: Glossary & Explanations
Find the best SSL Certificate prices for your website today!
3d Secure: is an XML-based protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. 3-D Secure adds another authentication step for online payments.
Application Protocol: an application protocol is a protocol that normally layers directly on top of the transport layer (e.g., TCP/IP). Examples include HTTP, TELNET, FTP, and SMTP.
Authentication: authentication is the ability of one entity to determine the identity of another entity.
Block Cipher: a block cipher is an algorithm that operates on plain text in groups of bits, called blocks. 64 bits is a typical block size.
Browser Recognition: the percentage of browsers that recognize a CA’s certificate.
Bulk Cipher: a symmetric encryption algorithm used to encrypt large quantities of data.
Certificate Authority (CA): a CA creates an SSL certificate. The companies wrap their key around your public key in a process called "digitally signing" the key or “digital signature”. GoDaddy is a Certificate Authority.
Certificate Authority Site Seal: the logo or banner that you install on your website from SSL certificate authority. It's one of the ways a visitor will recognize that your website has an SSL certificate. Read more about why CA site seals are important in this Network Solutions SSL Review.
Certification Practice Statement: CPS is a document published by the CA which outlines the practices and policies used by the organization in issuing, managing and revoking digital certificates.
Certification Revocation List: CRL is a digitally signed data file containing details of each digital certificate that has not been revoked. This can be downloaded and installed into the browser that the user will use, ensuring that the browser will not trust a revoked digital certificate.
Chain Certificate: a chained certificate is one where the signer was not a Root CA. In other words, the certificate the CA used to sign a request was signed by another CA. In this instance, a “chain” of signing certificates is required to verify trust. For example, let’s say you have a server certificate request and you give the request to company A. Company A is not a Root CA, but they have a signing certificate signed by company B. Company A signs your certificate. When a web browser attempts to verify the trust of your certificates, it must verify the trust of Company B and Company A. If company B ever decides that Company A is a no-good company that does not deserve to have a signing certificate, it can revoke the certificate, rendering Company B’s certificate un-trusted along with every certificate they signed (including yours).
Cipher Block Chaining (CBC): CBC is a mode in which every plaintext block encrypted with the block cipher is first exclusive-OR'ed with the previous cipher text block (or, in the case of the first block, with the initialization vector).
Cipher Strength: indicates how strong the encryption of a certificate is. The larger the cipher strength, the more difficult it is for hackers to un-encrypt communication. Most certificates have 128 bit cipher strength. It is important to note here that a higher cipher strength means the data is more secure, but the process of encrypting and decrypting messages between two trusted individuals requires computer processing power. The larger cipher strengths require much more processing power. If a 256 cipher strength were used on a web server that was very busy, the act of decrypting and encrypting communication might slow the server down enough to be unusable. Generally 128 bit is considered a good balance between security and speed.
Certificate: as part of the X.509 protocol (a.k.a. ISO Authentication framework), certificates are assigned by a trusted Certificate Authority and provide verification of a party's identity and may also supply its public key.
Certificate Signing Request (CSR): is generated with your Web server software, and contains both the public key portion of your Web server's key pair and the Distinguished Name (DN) of your Web server. Follow the instructions provided in your Web server's documentation to generate a CSR.
Client: the application entity that initiates a connection to a server.
Client Write Key: the key used to encrypt data written by the client.
Client Write MAC Secret: the secret data used to authenticate data written by the client.
Connection: is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are peer to peer relationships. The connections are transient. Every connection is associated with one session.
Data Encryption Standard (DES): is a very widely used symmetric encryption algorithm. DES is a block cipher.
Digital Signature Standard (DSS): a standard for digital signing, including the Digital Signing Algorithm, approved by the National Institute of Standards and Technology, defined in NIST FIPS PUB 186, "Digital Signature Standard," published May, 1994 by the U.S. Dept. of Commerce.
Digital Signatures: digital signatures utilize public key cryptography and one-way hash functions to produce a signature of the data that can be authenticated, and is difficult to forge or repudiate.
Domain SSL Certificate: a digital SSL cert where the ownership of the domain is verified. This is the lowest level of SSL certification. Register.com has the best deal on domain SSL certs.
Extended Validation SSL Certificate (EV): this certificate offers a very high level of security. It requires identity assurance, and explicitly states that your identity as a reputable and viable business has been independently verified. This is the “turn your browser bar green” SSL. Extended Validation (EV) certificate is the highest level of validation. Get an EV Digital SSL cert if you’re a high traffic ecommerce site, or if you require the highest level of validation for competitive purposes. Get the best extended validation SSL certificate price here.
Free SSL Certificate Trial: some SSL cert companies will offer a free 30 day trial. See an example of a free SSL certificate trial.
Handshake: an initial negotiation between client and server that establishes the parameters of their transactions.
Initialization Vector (IV): when a block cipher is used in CBC mode, the initialization vector is exclusive-OR’ed with the first plaintext block prior to encryption.
Message Authentication Code (MAC): is a one-way hash computed from a message and some secret data. Its purpose is to detect if the message has been altered.
Master Secret: secure secret data used for generating encryption keys, MAC secrets, and IVs.
MD5: is a secure hashing function that converts an arbitrarily long data stream into a digest of fixed size.
One-way hash function: a one-way transformation that converts an arbitrary amount of data into a fixed-length hash. It is computation- ally hard to reverse the transformation or to find collisions. MD5 and SHA are examples of one-way hash functions.
Payment Gateway: enables internet merchants to accept online payments via credit card and e-check.
PCI Compliant: online businesses should follow strict security regulations on how to process credit and debit cards, install web application firewalls, and have the latest software to stop viruses, Trojans, worms, and hackers. Once a business becomes PCI compliant they are verified as meeting a strict code of security protection.
PKI certificate: which stands for Public Key Infrastructure certificate, allows someone to combine their digital signature with a public key and something that identifies them, an example being their real life name. This certificate is used to allow computer users to show that they do own the public keys they claim to.
Private SSL: a SSL certificate that you purchase just for your website use is a private SSL. Your secure URL will look something like https://secure.yourdomain.com.
Public key cryptography: a class of cryptographic techniques employing two-key ciphers. Messages encrypted with the public key can only be decrypted with the associated private key. Conversely, messages signed with the private key can be verified with the public key.
Public Key Infrastructure: PKI combines a digital signature with a public key to identify someone. It is simply a certificate that allows computer users to show that they do own the public keys they claim to. A digital signature is needed for the PKI certificate before this is issued for any particular person or company. The signature can be made by an authority figure who assigns the certificate and the person whose identity is being confirmed. PKI certificates are used to authenticate cryptographic public keys. This certificate allows other people to verify that they are indeed communicating with the right person who is using the right public key.
SSL Reseller: a company that is not a certificate authority, but still sells SSL certificates is called a SSL reseller. Dotster is an example. Dotster sells GeoTrust and Verisign SSL certs.
RC2, RC4: proprietary bulk ciphers from RSA Data Security, Inc. (There is no good reference to these as they are unpublished works; however, see [RSADSI]). RC2 is block cipher and RC4 is a stream cipher.
RSA: a very widely used public-key algorithm that can be used for either encryption or digital signing.Salt:Non-secret random data used to make export encryption keys resist precomputation attacks.
Server: is the application entity that responds to requests for connections from clients. The server is passive, waiting for requests from clients.
Server Gate Cryptography: This provides for additional bits more than the standard 40 bit encryption required. Having more of this means a longer key is used, which results to the prevention of a 3rd party from breaking through.
Session: a SSL session is an association between a client and a server. Sessions are created by the handshake protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
Session Identifier: is a value generated by a server that identifies a particular session.
Server Write Key: the key used to encrypt data written by the server.
Server Write MAC Secret: the secret data used to authenticate data written by the server.
SGC SSL Certificate: there is an added layer of security – on top of what is provided in the standard SSL certificate – when you go with an SGC certificate. You end up with 128 or 256 bit encryption, rather than the standard 40 bit encryption. Having more bits means that there is a longer key, and therefore it's more difficult for third parties to break through.
SHA: the Secure Hash Algorithm (SHA) is defined in FIPS PUB 180-1. It produces a 20-byte output [SHA].
SHA1: is a cryptographic hash function designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses.
Shared SSL: shared SSL means using, or sharing, your web hosting company's SSL certificate. Your secure URL with shared ssl uses your host's domain (e.g., https://secure.yourhost.com/~yourbusinessname).
SSL Acceleration: is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware accelerator. Typically, this is a separate card that plugs into a PCI slot in a computer that contains one or more co-processors able to handle much of the SSL processing.
SSL Proxy: if you want to anonymously browse and unblock sites as Facebook, Spotify, Twitter, youtube, bebo, myspace, ebay, and other sites, while you're a work or another location that blocks websites then you can use a ssl proxy server. SSL web proxy 's uses data encryption to help ensure that the data you transmit and receive through a SSL proxy is private and secure.
SSL VPN: (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer. It's used to give remote users with access to Web applications, client/server applications and internal network connections.
Standard SSL Certificate: this certificate is fairly limited, providing protection to only one domain name. If you have more than one domain, or a sub-domain, this certificate is not going to cut it, since you would have to obtain an SSL certificate for each. However, this is very commonly used, and just about all of the browsers recognize the standard SSL certificate. Get the best price on a standard SSL Certificate here.
Stream Cipher: an encryption algorithm that converts a key into a cryptographically-strong key stream, which is then exclusive-OR’ed with the plaintext.
Stunnel: a GNU program allowing to encrypt arbitrary TCP connections inside Secure Sockets Layer (SSL).
Transport Layer Security: or TLS, in common use it's a method of combining the advantages of public-key cryptography, external third-party (out-of-band) validation, and per-session encryption.
Unlimited Server License: means that one SSL certificate can be used on multiple servers. GoDaddy's SSL Certs come with an unlimited server license.
Find a SSL Certificate for your website. Click on the link corresponding to the type of cert you need to find a Certificate Authority to buy your SSL Certificate from: Domain verification SSL Certs; Standard SSL Certs; Wildcard Certificate; and Extended Validation SSL.