HTML and CSS Reference
Do I have to apply for a certificate?
If you are accepting any personal information on your Web site such as credit card numbers,
you should be using SSL. One option is to visit a certificate authority (such as VeriSign or
Thawte at http://www.thawte.com) and apply for your own certificate. There may be a waiting
period and you will need to pay an annual fee.
As an alternative, your Web host provider may let you piggyback on its certificate. Normally,
there is a setup and/or monthly fee for this service. Usually, the web host assigns you a folder
on its secure server. You place the Web pages (and associated files such as images) that need
to be securely processed in the folder. When linking to the Web pages you use “https” instead
of “http” on your absolute links. Contact your Web host provider for details.
A number of steps are involved in the SSL authentication process. The Web browser and
Web server go through initial handshaking steps, exchanging information about the
server certificate and keys. Once trust is established, the Web browser encrypts the single
secret key (symmetric key) that will be used for the rest of the communication. From this
point on, all data is encrypted through the secret key. Table 12.2 shows this process.
At this point, you have a general idea of how SSL works to protect the integrity of infor-
mation on the Internet, including the information exchanged in e-commerce transactions.
The next section takes a closer look at order and payment processing in e-commerce.
Table 12.2 SSL encryption process overview
“hello” + server certificate
The server's private key is used to encrypt a message. Only the public key
can decrypt this message.
The browser now verifies the identity of the Web server. It obtains the certificate of certificate authority (CA) that
signed the server's certificate. Then the browser decrypts the certificate digest using the CA's public key (held in a
root CA certificate). Next, it takes a digest of the server's certificate. The browser compares the two digests and
checks the expiration date of the certificate. If all is valid, the next step occurs.
The browser generates a session key and encrypts with the server public key.
The server sends a message encrypted with the session key.
All future transmissions between the browser and server are encrypted with the session key.
How do I find out about the most recent security issues?
The CERT Coordination Center at http://www.cert.org is a federally funded research and devel-
opment center operated by Carnegie Mellon University. CERT is an acronym for Computer
Emergency Response Team. One of its functions is to act as a clearinghouse of information
related to security issues and incidents. CERT issues advisories that describe security problems
and offers suggestions for preventing or correcting them.
Security issues are a real and growing problem. In 1989 CERT handled 132 incident reports.
That number has grown each year. There were 21,756 incidents reported in 2000 and over
137,529 incidents reported in 2003, the final year that this statistic was released by CERT.