Perhaps one of the biggest mistakes that any business owner makes is to assume that online security is not a threat to their business reputation and ability to safely communicate with their customers. It is true that ecommerce sites accepting credit and debit card payments have to use Secure Sockets Layer (SSL) certificates to comply with Payment Card Industry Data Security Standard requirements. Also, there are other sites that need to use this security to protect their users.
Secure Sockets Layer
To help to clarify how Secure Sockets Layer technology works to protect information, let’s take a closer look at just what it does. That will provide a solid foundation to see why most websites and not just ecommerce sites, should be using this cyber security tool.
Secure Sockets Layer – What is SSL/TLS?
All SSL/TLS cyber protection is a network security protocol that uses 128 or 256-bit encryption to transmit data from a website to a browser more often called a server and a client, or between an email server and an email client.
By using encryption, the data is illegible to anyone who doesn’t have both the public key (used for the encryption) and the private key, which provides the decryption. These keys are unique and connect to an SSL certificate.
The Certificate Authority generates the SSL certificate. The Certificate Authority is selected by the website owner or administrator and will verify or validate the information provided by that individual to create a unique certificate.
A website can use a single SSL/TLS certificate or it may use alternative cert options. A multi-domain, Wildcard or a Subject Alternative Name type of certificate, may be used for different domains and subdomains or, in the case of the Wildcard certificate, for a single domain and its respective subdomains.
The website administrator or owner generates the SSL certificate and the private key on the particular server that hosts the site. This Certificate Signing Request (the form created) is sent to the Certificate Authority with the required information about the Fully Qualified Domain Name and other information based on the type of SSL/TLS certificate requested.
The website administrator or owner of the server always keeps the private key. It is never shared with anyone, even the Certificate Authority. The privacy of the key ensures the security to the system with decryption limited to those sites using the matching public key of the pair.
Once the Certificate Authority validates the information, a file is sent back to the website administrator. The certificate file and the private key are installed on the server, the website is bound to the certificate on the server, and the process is complete.
Everything that is sent through the website to the server is now transmitted via a secure channel that is set up between the client and the server. The setup includes verifying the certificate and the keys before any data is exchanged.
Ecommerce Sites and Non-Ecommerce Sites
It makes perfect sense why encrypted data would be an essential part of cyber security for the ecommerce site owner. After all, regardless of the value of the purchase nobody wants to put his or her credit or debit card information online.
Even if an ecommerce site is using a third-party payment processor such as PayPal they should consider at least a domain and preferably organizational level SSL/TLS certificate. These certificates are extremely low cost, and they offer a level of trust and assurance that most online consumers now consider the basic level.
Additionally, and this is relevant to your website as well, Google now considers an SSL/TLS certificate in their search engine ranking algorithms. While it won’t cause your website to dramatically jump up in the rankings, it does have a positive impact and prevents your site from dropping if your competitors are using this security protocol and your site is not.
Aside from ecommerce sites, other websites also ask for personal information. Think of how often you have to use a login and a password on a site to gain access to specific features. Even if you wish to make a comment on a blog, you will typically need to complete at last information on your name, address, and email. This can give hackers, eavesdroppers and man-in-the-middle attacks information to then start to phish your email account.
Any business consulting or business website that allows scheduling appointments online should be using SSL/TLS certificates. You ask your customers to provide their name, address and other information, all which could pose a risk if there was to be an internet security breach.
Doctors’ offices, dentist offices or mental health professionals as well as attorneys that are having patients or clients send information, schedule appointments or communicate online through the website should also be using SSL/TLS certificates. This data encryption will protect their patients and provide full privacy and security when transmitting information.
If you are not using Secure Sockets Layer certificates at this time, it may be helpful to talk to various internet security companies or consultants. These individuals can provide information on the relevance and importance of using these type of website security feature both for your safety as well as for that of your clients and online users.
Ashraf is a Technical Blog Writer from Comodo. He writes about information security, focusing on web security, operating system security and endpoint protection systems.