ECommerce Security : SSL

Secure Sockets Layer (SSL) is the Internet security protocol for point-to-point connections.

It provides protection against eavesdropping, tampering, and forgery. Clients and servers are able to authenticate each other and to establish a secure link, or “pipe,” across the Internet or Intranets to protect the information transmitted.

SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information), which prevents the "bad guys" from stealing your information for malicious intent. You know that you're on an SSL protected page when the address begins with "https" and there is a padlock icon at the bottom of the page (and in the case of Mozilla Firefox in the address bar as well).

Infrastructure for SSL:

a) On the client side the Internet browser should support SSL. newer versions above 5.5 IE or netscape 4.72 can do 128 bit encryption with out SGC, lower versions above 3.2 can do 128 bit with SGC and even lower can only do 40 / 56 bit encryption.

b) On serverside there should be a valid SSL certificate.

SSL certificate is a digital document that a certified vendor (in most cases) issues that contain the public key of the individual, individuals identification details (phone, email, address, name etc.)

The SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, the root and the country it was issued in.
The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued.

Encryption techniques using public and private keys require a public-key infrastructure (PKI) to support the distribution and identification of public keys. Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid.


How a Certificate Is Issued

1. Key Generation:
The individual requesting certification (the applicant, not the CA) generates key pairs of public and private keys.
2. Matching of Policy Information:
The applicant packages the additional information necessary for the CA to issue the certificate (such as proof of identity, tax ID number, e-mail address, and so on). The precise definition of this information is up to the CA.
3. Sending of Public Keys and Information:
The applicant sends the public keys and information (often encrypted using the CA's public key) to the CA.
4. Verification of Information:
The CA applies whatever policy rules it requires in order to verify that the applicant should receive a certificate.
5. Certificate Creation:
The CA creates a digital document with the appropriate information (public keys, expiration date, and other data) and signs it using the CA's private key.
6. Sending/Posting of Certificate:
The CA may send the certificate to the applicant, or post it publicly as appropriate.
7. The certificate is loaded onto an individual's computer.

References :

http://www.webopedia.com/DidYouKnow/Internet/2005/ssl.asp

http://support.microsoft.com/kb/195724

Security Protocols Overview An RSA Data Security Brief