Explainer: SSL

"To boldly go where no man has gone before" may have been a good mantra for the space program, but it's an unwise tack for your online business. When your customers visit your website, they want to know that security has been there before them. There is a way for you to provide them with that security: It's called SSL. What is SSL?

SSL stands for secure sockets layer. Trust us, you only really want to concentrate on the word "secure" here. "Sockets" and "layers" are far too technical. SSL is a protocol that enables encrypted - and therefore secure -- communication to pass between a server (the website you're dealing with) and a client (your browser, i.e., you). This capability addresses fundamental concerns about communication over the Internet and other TCP/IP networks.

How does it work? The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication over the Internet. What that means is this: in the nanoblink of an eye, an SSL-enabled server authenticates itself to an SSL-enabled client, and the client authenticates itself to the server, allowing both machines to establish an encrypted connection.

Here it is in action: When you buy a book from Amazon.com, SSL provides the secure connection between your browser and Amazon so you can rest easy when you type in your MasterCard number.

What level of protection can I expect? SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code.

However, remember that SSL merely encrypts data in transit. Once the computer on the other end receives the information you send, that information can be decrypted, stored in a database and passed along to other users. As in: It's 10 P.M. Do you know where your credit card information is being stored?

How do I know if a site I'm transacting with is secure? Let's say you want to buy a Darwin Executive Survival Guide. If you click on that link, and scroll to the bottom of the page, you'll see a gold "certificate" from the third-party certification provider VeriSign. Click on that certificate, and you'll get the familiar pop-up box titled "Security Alert," which tells you that "You are about to view pages over a secure connection."

If, like most of us, you're too quick to click the "Yes" box on that pop-up, you can always double-check to see if the page you're on is SSL enabled. Go to the URL. Instead of the usual http:, on an SSL-enabled page you will see in the header.

Most sites you buy from, including Amazon.com, will tell you if they are certified. If they aren't, a warning message will pop up alerting you that you are about to enter a site that has not been certified. It's worth noting that online sites can be their own certifying authority. They can purchase certification software from Entrust or another vendor.

If companies are providing their own certificate, this means that no one is checking that they are safe. In effect, you're taking their word for it. Sound a little dicey? That's because it is. You might be better off conducting business with a site that has gotten its certificate from an external provider, a third party that has verified the authenticity of the certification. At present, VeriSign is the biggest name in online trust services. However, keep an eye out for GeoTrust, which has snatched 10 percent of the market.

Join the newsletter!

Error: Please check your email address.

More about Amazon.comEntrustMastercardVeriSign Australia

Show Comments

Market Place