Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

Whose Site is it Anyway?

by Richard Moulds - nCipher - Monday, 29 March 2004.

The challenge therefore, is to extend the security provided by SSL deeper into the website infrastructure in order to protect data behind the firewall from internal as well as external attacks. As the concept of perimeter security, relying solely on creating a secure network boundary around an organisation, becomes outdated it becomes even more important to protect sensitive information wherever it flows, inside or outside a corporate network. To achieve this, the same tamper-resistant hardware protected environment used to store SSL keys can now be used to terminate SSL sessions, process unencrypted data and pass traffic securely on to other back-end applications.

SSL has come along way and the encryption protocol is now being widely adopted as a major industry standard. What lies behind the simple padlock is a complex technology that underpins the security of the Internet. Providing that it is deployed correctly, which typically includes the use of a dedicated HSM for any organization handling sensitive information, SSL delivers the all important level of trust that is vital if more of us are going to have the confidence to buy and do business online.

What is SSL

The SSL protocol was developed in 1994 by Netscape - one of the early Internet browser pioneers - for securing web transactions and messages over the Internet and today is included in all standard browsers along with most web server products. SSL uses a process of public key encryption to secure the connection between your web browser and a remote web server.

Public key encryption uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key that anyone can know and a private key that is never distributed and always kept secret. Data encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.

When a customer uses a web browser to connect to an online store to carry out a purchase or visits their online bank, the SSL protocol causes the vendor's web server to present its public key in the form of a digital certificate to the customer's web browser, to identify and authenticate itself. The customer's web browser then creates and encrypts a 'session key' using the public key information stored in the digital certificate. This session key is returned to the vendor's web server, where it is unencrypted using the web site's own and hopefully secret private key.

Only the correctly matching private key can decode the message, so the communication between the two parties is secured with a single shared secret key. Secure communication can then take place between the vendor's web server and the customer's web browser. Simple!