We can feel even better about trusting online banking and shopping if we understand the Internet’s definition of trust. On the Internet, trust is established by an organization’s reputation but, more importantly by their web site’s security certificate.
Do you remember Ralphie’s Ovaltine secret decoder ring? He really, really, really had to have it so he could understand the secret radio message! Of course, Internet encryption is vastly more complex but the basic idea is the same.
HTTPS AND SSL
HTTP is the default protocol that your browser uses to communicate with web servers. You have probably seen a web address or URL (uniform resource locater) look like this: http://www.southsidetech.com.
You don't have to type the http:// part in your browser's address bar, because it is assumed. Your browser fills this part in for you automatically.
SSL stands for Secure Socket Layer, it does two things:
- Encrypts your data, which means no one can see what the website sends to your browser or what your browser sends to the website.
- It authenticates the web site. In other words it certifies that the web site is actually owned by the entity that claims to own it.
When you see the little lock next to a web site’s address in your browser’s address bar, or you see “https” at the beginning of the address, this means that you are using encrypted communications.
A Certificate is a document that a website shows a browser to authenticate its identity. It “certifies” that the website is who it says it is. They are issued by a “Certificate Authority” (CA), a company who will verify for the browser that a particular website’s certificate can be trusted. All web browsers (IE, Chrome, Firefox, etc.) come pre-loaded with security files for CAs whose opinion they will trust.
The website owner must generate a Certificate Signing Request and send it to a trusted CA. The CA then verifies the website’s ownership and “signs” the security certificate. Once issued the web site owner installs the certificate on their web server. It includes owner information like organization name, address, etc. and public and private encryption keys.
Public and Private Keys
A private key is a secret password that is known by only the website and the CA. This is how the CA can vouch for the website. When a web browser requests an encrypted page from the website, it can be certain the website belongs to who it says it belongs to. Otherwise an unscrupulous entity could pose as the site and fool you into revealing your logon credentials to the real site.
Included in the Certificate is a public key. It uses a different password for encryption. The private and public keys are unique to that Certificate. Data encrypted with the private key can only be decrypted with the public key, and vice versa. Only the private key can encrypt data for a particular public key. That is how you know the website is who it claims to be.
You can view information about a website’s certificate by either clicking on the little lock in your browser’s address bar, or clicking on the CA’s “seal” emblem usually located on the secured web page. Common CA seals will be from companies like Verisign, Thawte and GoDaddy. You can also see what Certificate Authorities your browser trusts by going to your browser’s settings, options or tools menu.
Circles of Trust
Website security certificates are only one of the Circles of Trust. If we understand each circle a little better, we will feel better about exploring and learning.
Sign up with email to get updates from The Practical Computer
and subscriber-only tips and giveaways.
For more on Internet Security:
|From The USA Educational Foundation: Internet Safety For Adults|
From Family Online Safety Institute:
Top Internet Safety Tips for Parents (PDF)
Advice about common security issues for
non-technical computer users