SSL: Myths and Magic

    April 2, 2004

About once a week we get asked if we use SSL certificates. The answer may come as a surprise to our e-commerce friends, considering that we process hundreds of credit card transactions every month.

SSL stands for Secure Socket Layer. To a man, except to the real techies, SSL means secure e-commerce transactions on the Internet. So, what’s a secure e-commerce transaction and what do the techies know that you don’t know? Well, in order to understand that, lets first look at a few SSL details.

Internet connections make use of various data elements to establish a communication channel between a host server and a client computer. These data elements are grouped into functional categories called layers. The communication takes place via a socket connection. This is simply a specific virtual connection between computers. A variety of techniques, know as protocols, using variations in the data elements, can be applied to establish a connection. One of these protocols uses a Secure Socket Layer. This is a technique used to encrypt information moving from a host computer to a browser and from a browser to the host computer. That is, information in transit on the Internet is encrypted when using this protocol. You can sometimes know you’re using the SSL protocol by the “https;” at the beginning of a web address or by the little yellow padlock icon that appears in the lower left corner of a browser.

To use the SSL protocol, the host computer must be equipped with an SSL Certificate and a browser must support the protocol. All current browsers do. The certificate is actually a small software program that resides on the host computer of a particular domain. The program encrypts the information traveling between your browser and the host computer when the SSL protocol is invoked. The certificate also identifies the domain for which the software was issued. Private companies sell these certificates to domains wishing to use the SSL protocol.

The magic in SSL is the remarkable job that the certificate companies have done to convince nearly everyone that an SSL site is a secure site. This has been a great benefit to e-commerce sites. Consumers get that warm fuzzy feeling when they see the little yellow lock in their browser, knowing everything is OK, just before submitting their credit card information. The truth is that the only time information using SSL is secure is when the data passes between browser and host. That is, when the data is in transit on the Internet.

The other piece of magic with an SSL certificate is that it is intended to verify that a website is who they say they are. To make this happen, the certificate company must confirm information like domain ownership before selling the SSL Certificate to an applicant. The confirmation process is not well defined however, resulting in known cases of certificates being issued to bogus websites, ostensibly belonging to well known companies. Another diluting factor affecting the value of the certificate is the use of machine wide certificates. This is the practice of applying one SSL certificates to all websites residing in a shared hosting environment on a single computer. There is no way that this certificate can validate website ownership. You know the certificate is being shared if your ISP offers free SSL capability with domain hosting. To even begin to authenticate a domain, the certificate must be issued to a specific IP address assigned to a specific domain.

So, by now you probably know the answer to our opening question. We do not use the SSL protocol with our services. We do, however, use other proprietary techniques to protect a customer’s sensitive information, including triple DES encryption of sensitive information stored in databases which themselves are password protected and not directly connected to the Internet. We also use a whole range of other techniques to manage, protect, and validate customer information.

The point of mentioning what we do and the point of this article is not to bash the SSL protocol but, to expose the myth that SSL somehow provides the security necessary to protect your customer. If you want to use SSL to make customers happy, sure, go ahead; but, don’t think for minute that you’re protecting their information. Here’s a challenge: Cite just one case where credit card numbers have been stolen by a hacker intercepting the data in transit on the Internet.

Managing and protecting information is a much more complex process than just having an SSL Certificate. If you are serious about protecting your customer and securing your website, you can start by reading a four part article titled, “The Nuts and Bolts of Information Security” at . This is by no means a definitive work but it can provide the conscientious merchant with a guideline for getting started at protecting a customer’s sensitive information.

Mel Davey is the creator of ImagineNation (, a full service E-Commerce Application Service Provider, offering Storefronts, Order Management Utilities, and 3rd party credit card processing.