Is it a security must-have or simply a good branding tactic?
Secure socket layer (SSL) encryption has been called by some tech experts as a Web site must-have for businesses of any size, while other quarters contend it’s a nice-to-have that in some instances might even be harmful to your site’s health.
A recent announcement by security software firm Symantec Corp., of a new SSL certificate management offering for users and channel partners turns the spotlight on this security question once more. SSL pertains to cryptographic protocols that provide communication security over the Internet by encrypting segments of network communications. With technology gained from SSL company VeriSign Inc., which it acquired last year, Symantec will release for public beta in September, products aimed at helping IT administrators, Web hosting firms and tech service providers monitor and maintain SSL certificates.
The release will include free downloadable SSL certificates for users and an onsite appliance which IT administrators can use to maintain and manage SSL certificates used by their companies, said Fran Rosch, vice president of trust services for the enterprise security group of Symantec.
How SSL works
Because a lot of today’s communications and transactions occurred on the Web, there is a need to make sure that information being transmitted between Web sites and customers are safe from interception or from being read by unauthorized people.
For users, it is also important to know that the Web site they are transacting with is the authentic site and not a spoofed site. “People’s personal information, banking and financial information are being transmitted over the Internet. Consumers want to make sure they are dealing with the right people and not cybercriminals,” said Michael Murphy, vice president and general manager of Symantec Canada.
Secure Socket Layer works through a combination of encryption and decryption routines existing between the hosting computer and browser such as Internet Explorer, Chrome, Firefox or Safari to secure communications. It is akin to HTTPS (hypertext transfer protocol secure) and what is called “social authentication”, which was recently deployed by Facebook.
Businesses purchase SSL certificates from a certificate issuer such as VeriSign. Each certificate is unique to the owner. The issuer also authenticates the identity of the certificate buyer before it issues the certificate.
- When a user or consumer’s Web browser connects to the site of an SSL secured business, the browser requests that Web server to identify itself.
- The server sends the browser a copy of its SSL certificate.
- The browser determines whether it can trust the certificate. If so, it proceeds to send the user’s message to the server or Web site.
- The server sends back a digitally signed acknowledgment to the browser in order to begin an SSL encrypted session.
- Encrypted data is then shared between the browser and the server.
Sites that employ SSL encryption typically sport a visible logo indicating that they use the technology. In the case of VeriSign clients it was a check mark with the VeriSign name. But that logo will soon change to incorporate the Norton and Symantec brands.
“It’s about trust. When people see the check mark on your site, they know that transactions will be secured,” said Rosch.
SSL is mainly about trust not security?
And there lies the problem with SSL encryption, according to one Toronto-based security expert.
“In some instances, SSL certification can lull site visitors into a false sense of security,” said Claudiu Popa, principal of Informatica Corp. Popa is also a blogger for ITBusiness.ca Blogs where he regularly writes about security and privacy issue.
Popa said SSL encryption is “far from an end-to-end security solution” but rather just one facet of securing online transactions. “These are tools that serve mainly to increase the user or visitor’s perception of the security of the site.”
“Sometimes that image correctly represents the company’s security controls and practices,” said Popa, “Other times, unfortunately, it is nothing more than smoke and mirrors.”
Popa is primarily concerned with the number of certificate issuers and the ease with which individuals or organizations can obtain a certificate. For instance, he said, cyber criminals can obtain SSL certificates for a site that they will use to infect visitors with malware.
“Anyone can obtain a certificate. All a certificate does is authenticate that the holder is the actual owner of the certificate but it does not guarantee that visitors to the site will not be infected by malware,” he said.
Who needs SSL?
That being said, SSL is still a useful security and branding tool for SMBs and large corporations.
If you are doing business in the Web, it’s more likely than not you will be handling some form of information belonging to your customers, according to Michelle Warren, lead analyst and principal of MW Research and Consulting in Toronto.
“You will want to have customer names, addresses, phone numbers, credit card information or other personal details encrypted to help prevent a data breach,” she said. “At the same time, as a business you want a visual cue that will tell customers a reputable security firm vouches for you.”
Both Popa of Informatica and Warren believe that businesses that do the following can benefit from SSL:
- Financial businesses such as banks, investment firms and credit unions
- Businesses that maintain a database of customer names, addresses, phone numbers or other personal information
- Businesses that conduct online transactions
- Businesses in healthcare that may handle individual’s health records
Even small service companies such as a plumbing business with a Web site that serves as a “brochure site” may eventually need SSL as the owner begins to develop an online database of customers, according to Murphy of Symantec Canada.
“Deploying SSL sends a signal to customers that you value your site’s credibility and that the safety of their information is important to you,” said Warren.
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, connect with him on LinkedIn, read his blogs on ITBusiness.ca Blogs, email nestor at [email protected] and join the ITBusiness.ca Facebook Page.