You click to check out at an online merchant. Suddenly your browser address bar says HTTPS instead of HTTP. What’s going on? Is your credit card information safe?
Your information is safe. The website you are working with has made sure that no one can steal your information.Instead of HyperText Transfer Protocol (HTTP), this website uses HyperText Transfer Protocol Secure (HTTPS).
Using HTTPS, the computers agree on a “code” between them, and then they scramble the messages using that “code” so that no one in between can read them. This keeps your information safe from hackers.
When a user connects to a website via HTTPS, the website encrypts the session with a Digital Certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.
Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS ensures secure transactions over the internet, such as online banking and other e-commerce transactions.
Web browsers such as Internet Explorer and Firefox display a padlock icon to indicate that the website is secure, as it also displays https:// in the address bar.
A brief History of web-security in simple words
In the beginning, network administrators had to figure out how to share the information they put out on the Internet.
They agreed on a procedure for exchanging information and called it Hyper Text Transfer Protocol (HTTP).
Once everyone knew how to exchange information, intercepting on the Internet was not difficult. So knowledgeable administrators agreed upon a procedure to protect the information they exchanged. The protection relies on SSL Certificate to encrypt the online data. Encryption means that the sender and recipient agree upon a “code” and translate their documents into random-looking character strings.
The procedure for encrypting information and then exchanging it is called HyperText Transfer Protocol Secure (HTTPS).
With HTTPS if anyone in between the sender and the recipient could open the message, they still could not understand it. Only the sender and the recipient, who know the “code,” can decipher the message.
Humans could encode their own documents, but computers do it faster and more efficiently. To do this, the computer at each end uses a document called an “SSL Certificate” containing character strings that are the keys to their secret “codes.”
SSL certificates contain the computer owner’s “public key.”
The owner shares the public key with anyone who needs it. Other users need the public key to encrypt messages to the owner. The owner sends those users the SSL certificate, which contains the public key. The owner does not share the private key with anyone.
The security during the transfer is called the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
The procedure for exchanging public keys using SSL Certificate to enable HTTPS, SSL and TLS is called Public Key Infrastructure (PKI).
What is SSL?
SSL is an acronym for Secure Sockets Layer (also called TLS – Transport Layer Security), an encryption technology that was created by Netscape. SSL creates an encrypted connection between your web server and your visitors’ web browser allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.
To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on the server. The use of an SSL certificate on a website is usually indicated by a padlock icon in web browsers or a green address bar. When an SSL certificate is installed on a website, you can be sure that the information you enter (contact or credit card information), is secured and only seen by the organization that owns the website.
Why do websites need SSL?
1. Secure Communication over Internet – If you are transmitting sensitive information on a web site, such as credit card numbers or personal information, you need to secure it with SSL encryption.This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted
2. Customer Trust – According to Gartner Research, nearly 70 percent of online shoppers have terminated an online order because they did not “trust” the transaction.Your customers won’t trust your web site without an SSL certificate.
3. Authentication – In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to a criminal’s server. For example, while logging into your online bank account you can be sure you are entering your login credentials into the legitimate server which belongs to the bank and not an unauthorized entity or a hacker. This once happened with a well established bank when a group of hackers created a similar looking webpage and managed to get login credetials of a large number of unsuspecting online users of the bank.
4. PCI(Payment Card Industry) Compliance – It is also important to know that a website cannot take credit card information unless it passes certain audits such as PCI compliance which require a proper SSL certificate.
5. Protect your users from phishing attacks – A phishing attack is an a type of online attack where a criminal tries to impersonate your website. Because it is very difficult for these criminals to receive a proper SSL certificate, they won’t be able to perfectly impersonate your site. This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won’t find it on the fake website.
Who issues the SSL Certificate?
A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures.
Trusted SSL providers will only issue an SSL certificate to a verified company that has gone through several identity checks. Certain types of SSL certificates, like EV SSL Certificates, require more validation than others.
Which Certificate Authority is the best?
You can get a certificate for $50 that does that exact same thing as a certificate sold for $1000 from another certificate authority. It is the exact same SSL encryption.
Why the difference? Trust is the biggest difference. Since some established players in this field like VeriSign have been around for longer than other certificate authorities, more people trust them so they can charge more. You are essentially paying for the brand.