In our last article on Web to print we talked briefly about on-line security, flagging that since people are conducting financial transactions (i.e. paying for things) on-line, then there is a need for that data to be secured. We mentioned SSL (“Secure Sockets Layer”), a technology which authenticates and encrypts the sensitive data being transmitted to ensure the security, privacy and effectiveness of the whole transaction.
In this article we’ll be covering this off in a little more detail.
Why is SSL needed?
The astonishing growth of the internet in recent years has led to a corresponding growth in online commerce of all types. Unfortunately, this growth has also presented “opportunities” for fraudsters and cyber criminals to exploit security lapses and steal confidential information such as passwords and financial data.
It’s a fact that unless the connection between the client (e.g. the internet browser) and the server (i.e. the web-site being visited) is adequately encrypted, it is relatively easy for the information to be hacked. And we’ve all heard of worrying cases of highly secure sites (e.g. military and intelligence services) being illegally accessed too …
So technologies like SSL are one way to carry out this encryption and protect the data.
How does SSL work?
While all browsers have the ability to interact with secured web servers using SSL, both ends require an SSL certificate to establish a secure connection. These certificates have a key pair – a public and a private key, which work together to establish the secure connection.
To get a certificate, a Certificate Signing Request (CSR) must be created on the server, which in turn creates the two keys mentioned above. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match the private key without compromising the key itself – the CA never sees the private key.
Once the SSL Certificate is received, it is installed on the server, along with an intermediate certificate that establishes the credibility of the SSL Certificate by tying it to the CA’s root certificate.
Note that browsers only “trust” certificates that come from an organisation on a pre-installed list of trusted CA’s, known as the Trusted Route CA Store; (in order to be added to the this store and thus become a Certificate Authority, a company must comply with and be audited against security and authentication standards established by the browsers).
Once all this is in place, SSL can be used to create the secure connection. It begins with the browser and the server establishing a connection using an “SSL handshake”. Three keys are used: the public, private and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa. Here’s the process sequence:
- Browser connects to a web server secured with SSL (https) and requests that the server identify itself
- Server sends a copy of its SSL Certificate, including the server’s public key.
- Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key
- Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session
- Server and Browser now encrypt all transmitted data with the session key
And that’s it – simple really isn’t it?
And the relevance to Web to print, exactly?
As we discussed last time, Web to print is a B2B technology, with a “storefront” consisting of pre-agreed templates with prices. Although most B2B transactions will not necessitate (for example) the provision of credit card information as in a B2C transaction, (invoices are usually raised later) we felt that it was important to give you background information on security as part of our comprehensive review … and with that now out of the way, next time we will look at storefronts.
In the meantime if you would like more information then please click here for a direct link to our home page, here for our contact page, or call us any time on 020 8031 0840 and as always we will be delighted to answer all of your questions and give you all the help that you need.