When you make a purchase, you want to know that you can trust the merchant with your payment information. In person, this is fairly easy to do; after all, it’s highly likely that you’re staring the shop employee in the face while they ring up your items. But online it isn’t so simple; a shop could literally be run by anyone, and your credit card data could be intercepted by third parties very easily. The SSL protocol makes transactions secure, and the certificates are verification that a website or server is trustworthy. If you run an e-commerce business or take online bookings, it’s in your best interest to be SSL-certified.
What is SSL?
SSL stands for Secure Socket Layer, and it’s a protocol which sits on top the normal web framework. It’s part of a larger security protocol called TLS (Transport Layer Security). With SSL, all communication between computer and server is securely encrypted, so that third parties cannot intercept the information. Rather than just sending data to a website’s server, SSL protocol requires that the client and the server engage in a multi-step ‘handshake’ which verifies the identities of each party and generates complex encryption keys to be used in scrambling the data. You can tell that a website is SSL-certified in a number of ways: the HTTP in the URL changes to HTTPS; a small padlock or thumbs-up icon will appear in the address bar; and the address bar itself will turn green during secure sessions. When you’re on an SSL-secured website, your information is much safer; if hackers were to get a hold of it, your data would just look like a jumble of nonsense symbols.
The SSL process
When a client and a server connect via SSL, they use a process called an SSL handshake. The handshake creates a unique, one-time private key, and uses asymmetric encryption to get that key to both parties. It breaks down into several steps:
- The client browser requests that the server identify itself.
- The server sends a copy of its SSL certificate, which includes its public cryptographic key.
- The browser checks the certificate against a list of trusted certificate authorities.
- If the server is trusted, the browser creates a randomly generated private session key, encrypts it with the server’s public key, and sends it back to the server.
- The server decrypts the session key and sends back an acknowledgement that the key has been received.
- The server and browser can now communicate and encrypt/decrypt all data with the one-time-use session key. Since this key is randomly generated and only known by the server and browser, the channel is secure; the next time the browser connects to the server, a brand new session key will be used.
It’s easy to see why an SSL certificate is useful for e-commerce transactions; it makes sure that your data is actually going to the right place, and encrypts it using a secure randomized method that cannot be hacked by conventional means. SSL will notify both parties if any part of the process is compromised. It’s not surprising that SSL is now the standard for secure data exchange, used everywhere from Paypal to Facebook and beyond. As an online merchant, it’s your responsibility to ensure that your customers’ data is secure. An SSL certificate will do exactly that, and make you a lot more trustworthy for online transactions.
Why and how should I get an SSL Certificate?
A website can purchase an SSL certificate from a certificate authority (CA), which does the investigative work to verify that the website is legitimate. It’s unrealistic to expect every browser to go through all the steps of verifying your identity before making a transaction; it’d bog down the internet like crazy! CAs act as independent middlemen, doing the work of verifying you on behalf of the customer. They are also the ones who provide the public keys during an SSL handshake. Every browser comes equipped with a list of trusted CAs; when a server provides their SSL certification, the browser will check that certificate against its list. A certificate authority must undergo rigorous testing and auditing in order to be added to the trusted CA list.
SSL certificates are beneficial in several ways. First of all, it makes you far less likely to get hacked or compromise your customers’ important information. Google recommends that e-commerce sites be SSL-certified, and it may improve your search engine optimization (SEO) efforts. Finally, Checkfront users will find that they have a much smoother experience when they are SSL-certified. While Checkfront does take care of the PCI-DSS credit card data safety compliance regardless of your SSL status, the app integrates even more smoothly when a site is certified. Without an SSL certificate, your customers will be redirected to our secure hosted booking page when they wish to make a purchase. With a certificate, your customers will be able to buy without ever leaving your web page.
3 types of SSL certificates
SSL certificates are used by millions of websites, for a variety of different reasons. As a result, there are now three different types of SSL certificates to choose from, depending on your website’s functions and security needs.
1. Domain Validated Certificates
Domain Validated Certificates are obtainable fairly quickly, and the process is usually automated. However, they are less rigorous in terms of validation procedure; the certificate authority only checks that the applicant’s name and contact information matches the WHOIS domain registration. The CA does not have to validate the business itself, so DV certificates have a slightly lower level of authentication than the other two types. Domain validated certificates still offer full SSL capabilities, but they are not as rigorously validated as the other two types.
2. Organizationally Validated Certificates
Organizationally Validated Certificates not only verify the applicant’s name and contact information, but also audits their business credentials. They may check articles of incorporation or business licenses, and verify the applicant’s physical address. An OV certificate is excellent for most online businesses which will deal in credit card data and other personal information. Users will see the padlock icon and ‘HTTPS’ in their browser’s address bar and know that they are on a secured website.
3. Extended Validation Certificates
Extended Validation Certificates are the highest level of security available, and involves the most thorough vetting. The certificate authority investigates the legal, physical, and operational existence of the applicant, and requires the business to prove that it has the exclusive rights to use its registered domain and that they have authorized the issuance of the certificate. When a website has an extended validation SSL certificate, the address bar in the browser will turn green and the name of the issuing CA will appear. EV certificates should be used by any website which requires identity assurance and strong encryption. Most major brands and large websites use EV certificates, since they provide the highest level of defense against phishing and hacking attacks.
By default, all Checkfront hosted booking pages are secured with organizationally validated SSL certificates. However, being certified on your own will make your site more cohesive and much safer to use. Check out a variety of different CAs, and shop around before making a choice; it’s worth the investment to ensure that your customers never have to worry about their information being leaked or compromised.
IMPORTANT: ensure you get SHA-2 certificates
In September 2014, Google announced that it was planning to “sunset” SHA-1 SSL certificates with the release of Chrome 39. What does this mean for you?
SHA stands for Secure Hash Algorithm, and is afunction which creates code that is almost impossible to reverse-engineer. It’s used to create the algorithms attached to SSL certificates. The SHA-1 function produces a 160-bit result, which was good enough for computers back when it was developed in 1995. However, attackers successfully hacked SHA-1 as early as 2005, and it has been depreciated by certificate authorities since 2011. Its successor, SHA-2, contains a number of improvements to the code—the least of which is the increase in algorithm complexity. SHA-2 produces much larger encryption keys, which are significantly harder to crack.
Unfortunately, there are still many websites using SHA-1 keys. Google’s updates apply to websites with certificates that will expire on or after January 1 2017. Starting with Chrome 39 and 40, sites using SHA-1 will see a triangle alert on their lock symbol in the address bar, informing them that the site is using insecure practices. With Chrome 41 (to be released in first quarter 2015) sites with an SHA-1 certificate will see that their “HTPPS” URL is rendered in red strike-through text, showing that it is not secure.
What can you do to prevent this? If you are purchasing an SSL certificate, make sure that it is encrypted using SHA-2. Those with existing certificates will need to reissue them, which can usually be done through the SSL issuer fairly quickly; many will accept your original certificate signing request, and just update the SHA function.