The majority of Internet related protocols including the Hypertext Transfer Protocol (HTTP), the Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol (POP3) are all unencrypted and send/receive information in clear plain text.
This means that an attacker or cyber criminal can record and analyze Internet traffic and discover usernames, passwords, credit card information, social security numbers, dates of birth and so on. To increase website security data sent to and from a web server needs to be encrypted. The Secure Sockets Layer (SSL) is an Internet protocol that is used to encrypt Internet traffic across a network and stop hackers from eavesdropping and tampering with data.
Combining HTTP with SSL creates a new protocol known as HTTPS (HyperText Transfer Protocol with Secure Sockets Layer – where the ‘S’ stands for Secure). SSL can equally be combined with SMTP and POP3 (and other Internet protocols) to ensure enhanced website security.
HTTPS differs from HTTP in two important ways:
- HTTPS connects on port 443, while HTTP is on port 80
- HTTPS encrypts all the data sent and received, while HTTP is unencrypted
An Internet user who connects to a website using HTTPS will notice two things. First the URL of the website starts with “https://” rather than “http://” and secondly the browser will show some kind of indication (normally in the form of a padlock) that secure communication has been established and that the data will be encrypted.
For any website that requires a user to enter a username and password to login or any website that offers eCommerce, it is essential that website security is enhanced with SSL. To implement SSL three things are needed:
- A web server that supports HTTPS (and SSL).
- A unique IP address for your server (meaning that shared web hosting isn’t appropriate).
- An SSL certificate.
Most web servers including Apache and Microsoft’s IIS support SSL, so it is most likely that your website is already running on a compatible server.
Although some shared hosting providers do offer a “shared” SSL certificate for all the websites that run on any given server, there are downsides to using them. Firstly it is still possible for another website on the same server to trick users into believing that they have connected to your site when in fact they have connected to a rogue site on the same server. Secondly the details on the certificate will be that of your hosting provider and not your business / website. This can lead to questions (by users and their browsers) about the validity of the certificate. Having a unique IP address ensures that the SSL certificate is for your site only and the credentials on that certificate match those of your business / website.
An SSL certificate can be bought online. The issuing authority will independently verify your identity and that of your website. Once installed and configured your website security will be improved and your customers can use the site safely in the knowledge that their personal data is secure and encrypted.
© 2011 – ArtSec Group LLC