Most of us use encrypted communication on a daily basis without even knowing, noticing or even caring about it. You just want to login to Facebook, catch up on current events, watch a few cat videos on YouTube, check your email or download a new track from iTunes. What you don’t want is other people checking out your surfing behaviour and other personal stuff. This is where encryption comes in; it’s all around us and protects us from (most of) the threats that come with surfing the World Wide Web.
In this blog we present you with some background information on encryption and the HTTPS protocol, we explain how these measures can help merchants ensure safe traffic on their own web sites and of course how to set them up. Since part of this blog is quite technical, please refer to the links for additional explanations about the used terminology.
What is encryption?
Let us start with explaining what encryption actually is. We know you know, but humour us, ok? The art of encryption has been around for ages, and despite the technical revolution the contemporary online application of it doesn’t really differ much from its origins. It still means to encode messages or information in such a way that only authorised parties can read it. Generally speaking, when referring to encryption in relation to the Internet, people refer to the Secure Hyper-Text Transfer Protocol (HTTPS for short). HTTPS is a modified version of the original HTTP protocol, where the two parties (your computer and the server you want to connect to) are agreeing on a secure method for communication before actually transferring any data over the network. But that’s not everything. Aside from agreeing on the cryptographic parameters, the client and the server can authenticate and verify whether or not they are actually talking to the genuine client or server they are supposed to be in contact with.
If you visit a web site over the default Hyper-Text Transfer Protocol (HTTP), a type of unencrypted Internet Protocol, the content is displayed in plaintext. This means that every interaction you have on or exchange you have with the web site is visible to everyone who positions themselves between you and the server. This is called a man-in-the-middle attack. For example, if you connect to a Wi-Fi hotspot, everything you transfer in HTTP between you and the server will be visible to every participant in the hotspot. This is fine as long as all you want is to catch up on the latest news or watch clips on YouTube, but when you want to transfer private information (name, SSN, email, home address, credit card details, etc.) however, this becomes a problem. That is why network traffic is encrypted; to prevent unauthorised parties from actively monitoring your connection and compromising your transfers.
How does HTTPS work?
Let’s say you want to connect to eMerchantPay.com. You type the address in the browser, hit enter and go to the requested web site within milliseconds. Seems simple enough, right? Wrong! Within those milliseconds a lot happens on the back end of the web site to ensure your safety while browsing. This is fairly technical, but also crucial information if you want to understand the inner workings of surfing the web, so please bear with us. Each time you visit a HTTPS web site, your request goes through the process below:
- Your browser has to know what eMerchantPay.com means. As computers in a network refer to each other by their assigned address (be it IPv4 or IPv6), your computer needs to translate eMerchantPay.com to an address they can connect to. At the time of writing this article, the address you will get is: 22.214.171.124.
- Once you have an address you initiate a connection to the remote server. If the connection is successful, your browser initiates a Secure Handshake with the server.
- Your browser sends a ClientHello message, in which you describe what Cryptographic Ciphers you have available, what version of the protocol you’re using and a few technical parameters.
- The server responds with a ServerHello message, which contains their Certificate chain, the Cryptographic Ciphers they support and a few technical parameters.
- The browser is attempting to verify the Server authenticity. If browser is unable to verify the authenticity, it will abort the connection and show an Error message to the visitor.
- If everything went as expected (i.e. the server has been successfully verified), the browser exchanges (and agree) upon which keys should be used for this session.
- You start to exchange data1.
- The contents of the webpage are securely transferred and displayed within your browser.
The above can be summarised like this2:
Why merchants should spend time and money implementing HTTPS & encryption
Even though these security measures are more for customers rather than the merchant, privacy and security are of paramount importance in building trust between merchants and their client base. Compromising customer data damages reputations, makes customers feel uneasy about dealing with a merchant and could result in fraudulent orders and/or transactions. Dealing with those problems could end up taking a huge amount of time and money, much more than it would if you implemented the security measures in the first place.
While cryptographic protocols Transport Layer Security (TLS) and it predecessor Secure Socket Layer (SSL) have been anything but accessible in the past, today you can get yourself a certificate for less than $10 per year and the computational overhead (due to the additional encryption) is almost negligible, in both response time and CPU usage.
How to set up encrypted traffic on your own web site
First of all, you need a certificate for your web site (domain). In order to obtain one, you have to create a Certificate Request (CSR) with your domain data provider. Follow this tutorial if you want to create a CSR in OpenSSL. Issuing a certificate usually only takes a couple of minutes3.
Please note that:
- if you’re running on a Shared Hosting plan, you might want to consult your hosting provider on details about their control panel SSL support.
- if you’re running a dedicated server (or a VPS), its likely that you’re using either Apache or nginx as a web-server software. You can find basic setup guide for Apache and nginx.
different versions might require different setting keys/values. If in doubt, find the exact version you are using and Google a tutorial for it.
With the abovementioned tips, you will be able to rest assured that traffic to and from your web site is safe, both for you and your customers.
1. At this point, the data you transfer is under the HTTP protocol, however, they are now encapsulated inside an encrypted container and thus everyone listening in on the network will have a hard time making sense of the data that you’re transferring. To an outside observer it would look like a random data.
2. For the purposes of this article, we’re addressing a basic overview of the HTTPS Handshake process.
3. You have to keep the private .key file safe to prevent unauthorised access.