I recall reading a few years back how a holding company for many companies that push pornography to the Internet was buying up popular web addresses as soon as they became available. The reason they were doing this was to point these addresses to their pornography thus making it easier to end up on one of their sites. I also recall several law suites from celebrities who had their names used to point to pornography sites. I also recall that most of them won the law suites.
I am not going to dwell on the content subject matter anymore in favor of 2. Technology. When you go to Amazon.com and make a purchase, how do you know that the information you send to Amazon will not be stolen by a person who is watching the transaction? In the early days of the Internet most of the data sent to and from websites was clear text. That meant that someone with the right equipment could watch what was going over the Internet, which would allow them to collect personal information such as names, addresses, phone numbers, and credit card numbers.
Shortly after the Internet was invented, Internet encryption was invented to prevent unauthorized snooping of information on the Internet. Hence, for the most part, the Internet is safe when you place online orders or look at confidential information.
I have been working on a project at my company which relies on ensuring that the data coming to my server and leaving it is safe. For this reason we have embraced an Internet favorite for securing data called Secure Socket Layer or SSL for short. Let's take a bit of a dive into this technology and see what makes it tick.
Before we dive into the details, there are two questions to think about when you are on the Internet; 1. Who are you speaking with?, and 2. Is someone listening to your conversation?
Who Are You Speaking With?
When you whip out your cell phone and call a friend, how can you be certain that the person on the other phone is really your friend? If you have never spoken to this person before, it might be quite difficult. I had a situation once where I started getting these text messages from my wife, but they were not formatted as she would do it. Come to find out that my son had found my wife's phone and decided to text me. Technically, whenever you call a business or someone you have never talked to before, how can you really know that the person on the other side works for that company? And with text messages, how do you know if your friend really is on the other end?
Is Someone Listening to Your Conversation?
There is technology out there that will allow someone to tap into a cell phone audio conversation. Cell phone companies are constantly trying to stay ahead of people who want to compromise their technology. Fortunately with cellular digital communication and smart phone, this can be minimized through encryption. The Internet is the same way, luckily for us we have SSL.
SSL Technology Overview
SSL technology takes advantage of some concepts of a science called cryptography. With almost all concept in cryptography you have two keys; one that you keep secret (private key) and one that you give to all your friends (public key). The idea is that if your friend wants to send you a secret message, he will encrypt the message with your public key and when your receive the message you can decrypt it with your private key. What I have just described is called public key cryptography. Basically you keep your private key private and share you public key with the world.
How Does SSL Work?
For SSL to work in a real world scenario, you need to do two major things; 1. Setup your web server to support SSL, and 2. Your web browser needs to trust the server your are browsing to.
Let's say your company name is ACME. In order to setup SSL on a server, the following steps need to be completed:
1. Using the operating system that the server is running on (Windows, Linux) at ACME, you need to create a Certificate Signing Request (CSR). During this process a private key is generated.
2. Next you need to access a Certificate Authority (CA). This can be in house, but more commonly is a third-party company such as Thawte and have them validate ACME. Thawte will do two important things; 1. Validate that your company has control of the domain you are using (ACME.com), and 2. That your company exists in public government records.
3. When this validation process is complete, Thawte will give you back a new public key (which is also referred to as a certificate) which is encrypted with their private key.
4. Lastly, your ACME takes this new certificate and installs in on its webservers.
What happens when you browse to ACME's webserver from your browser?
1. You (customer) use your web browser to make a connection with ACME. Typically this will be done on SSL port 443. More commonly you will see an https in front of your web address.
2. ACME will send back its public key. Once this is received, the web browser decides if it is OK to proceed:
- The ACME public key cannot be expired.
- The ACME public key must be from ACME only.
- The web browser must have the public key from Thawte installed in its certificate store. Most web browsers have the public keys from reputable certificate vendors installed already.
4. ACME will then create a unique file called a hash and encrypt it with both the customer's web browser's public key and its own private key. This will then be sent back to the customer.
5. The customer's web browser will then decrypt the hash. This process validates that ACME sent the hash and only the customer was able to read it.
6. At this point both ACME and the customer's web browser trust each other and exchange information securely.
So there you have it. How information is securely exchanged on the Internet. I hope you dell better about placing your credit card number with Amazon now.
Till next time,
Bill
No comments:
Post a Comment