SSL: Your Key to E-Commerce Security

By Sean Michael Kerner | Posted July 01, 2005

The e-commerce business is all about making money and finding ways to make more money. But that's hard to if consumers don't feel safe executing a transaction on your Web site. That's where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock your customers wallets.

What is SSL?
Since its introduction in 1994, SSL has been the de facto standard for e-commerce transaction security and is likely to remain so into the future.

SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information), which prevents the "bad guys" from stealing it for malicious intent. You know that you're on an SSL protected page when the URL address begins with "https" and there's a padlock icon at the bottom of the page (and, in the case of Mozilla's Firefox, in the address bar as well).

Your browser encrypts the data and sends it to the receiving Web site using either 40-bit or 128-bit encryption. However, your browser alone cannot secure the whole transaction, and that's why it's incumbent upon e-commerce site owners to do their part.

SSL Certificates
At the other end of the equation, and of greatest importance to anyone who runs, or plans to start, an e-commerce site is the SSL certificate. The SSL certificate sits on a secure server where it encrypts the data and identifies the site. The SSL certificate helps to prove that the site belongs to whom it says it belongs to, and it also contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, the root (or origin of the certificate) and the country in which it was issued.

SSL certificates come in 40-bit and 128-bit varieties, but because 40-bit encryption has been hacked, be sure to get a 128-bit certificate.

Although there are a wide variety of ways in which you could potentially acquire a 128-bit certificate, one key, often-overlooked element is necessary in order for full two-way 128-bit encryption to occur. Chad Kinzelberg, vice-president of security services at VeriSign, an SSL certificate vendor, said that in order to have 128-bit encryption you need a certificate that has SGC (server grade cryptography) capabilities.

How to Get an SSL Certificate — The Wrong Way
There are two principal ways of obtaining an SSL certificate: you can either buy one from a certificate vendor or you can "self-sign" your own certificate. That is, using any number of different tools (both open source and proprietary) you can actually sign your own SSL certificate and save the time and expense of going through a certificate vendor.

Though, technically speaking, the data may be encrypted, there still is a fundamental problem with self-signing that defeats the purpose of having an SSL certificate in the first place.

"The problem is 'how does the rest of ecosystem know the site is legitimate?" explained Kinzelberg. "Self-signing a certificate is like issuing yourself a driver's license. Roads are safer because governments issue licenses."

"We're making sure that the roads are safe. This is the role of the certificate authorities. Certificate authorities make sure the site is legitimate," he added.

Trust Stats from VeriSign
  • Ninety-three percent of online shoppers surveyed by VeriSign reported that they feel it's important for an e-commerce site to include a trust mark of some kind on their site.
  • Sixty-four percent have abandoned a shopping cart/basket because they didn't get a sense of security and trust when it came time to provide payment information.
  • Seventy-five percent of online shoppers will only make purchases through sites that include a trust mark.

In most browsers, self-signed certificates trigger a warning window that indicates the certificate was not recognized. Kinzelberg admits that many people will click through anyway, just like there are a lot of people that click through an expired SSL certificate, too.

"We, as an industry, want to educate people that that's the kind of thing they should not be doing. It's not a safe e-commerce practice," Kinzelberg said.

A site that conveys trust is also more likely to be a site that makes more money. Research suggests that having a recognizable SSL certificate may in fact have a direct correlation to increased e-commerce sales. VeriSign, in particular, has done research showing that users who visit sites that have a recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable shopping on those sites, have fewer abandoned shopping carts and more repeat purchases.

Joan Lockhart, vice-president of marketing at GeoTrust, another SSL vendor, argues that the price of an SSL certificate, from the least expensive provider to the most expensive provider, is a minuscule cost in the overall scheme of e-commerce.

"The margin on a single transaction could pay for the cost of a certificate, so it's not really about ROI," Lockhart said. "It's about conveying trust to your consumers."

Choosing an SSL Certificate Vendor
According to Lockhart, there are several things that buyers should look for when purchasing a certificate:

  • Reputation and credibility of the certificate authority (CA): Have they been in business for a while? Do they have lots of customers?
  • Ubiquity of the root: Is it embedded in, and recognized by, all of the popular browsers?
  • The CA owns the root certificate (i.e., it's not chained to someone else's root)
  • Lifecycle management tools: how easy is the certificate to install, renew, reinstall and revoke if compromised
  • Ease of acquiring the certificate
  • Who determines the legitimacy of the e-commerce site applying for the certificate: is it the CA itself, or in the case of some resellers, do they delegate this task to their resellers?

Conclusion
The SSL certificate system exists to help promote the security and integrity of e-commerce for everyone. An SSL certificate tells customers that you are who you say you are. You have nothing to hide, you're running a legitimate e-commerce business, and you want consumers to feel comfortable and to trust doing business with you.

In an era where phishing scams run rampant and trust is king, a proper SSL certificate may well be your key to e-commerce success.

Resources:

VeriSign Secured Seal Research Review (PDF)
VeriSign - "What Every E-Business Should Know about SSL Security and Consumer Trust"

GeoTrust: Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud (PDF)

Adapted from ECommerce-Guide.com, part of Internet.com Small Business Channel.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!


Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date