beep.name

Verisign’s push for stronger SSL encryption

Posted by BeepStar in Information Technology, The Whole Dot Com Thing on 05 12th, 2008 | no responses

Verisign\'s SSL encryptionIf visitors to your web site need to transfer sensitive information, they’ll feel a lot better knowing their session is encrypted with SSL.

Why is that?

Well, in the case of a low-level 40 bits encryption, a hacker’s “brute-force” attack on a given session would likely result in the complete access to that session in around 4 hours (using a high-end home computer system) which is, let’s be honest, better than no encryption at all.

For the record, that 4 hour breach was possible back in… 1997 — imagine the same “brute-force” attack with today’s much more powerful compters and you quickly get the picture.

Without SSL, there’s no protection whatsoever from “technically talented prying eyes” so that’s why some of your visitors feel more comfortable transfering their data within SSL-encrypted sessions.

So, what’s “SSL”, anyway?

The popular acronym “SSL” is short for Secure Socket Layer. It’s a protocol originally developed by Netscape (now being shut down, by AOL) for transmitting private documents online.

Technically, SSL uses a cryptographic system based on two keys to encrypt the data where one key is public (known to everyone) while the other one is private (kept secret from the world, by the recipient of the message). Both browser branches, Netscape Navigator and MS-Internet Explorer support SSL so a growing number of web sites use the protocol to transfer confidential user information, namely credit card numbers.

Spotting SSL-enabled web destinations is very easy as by convention, URLs that require an SSL connection to work start with “https:” instead of the standard “http:”.

But is there a more secure SSL encryption level than just 40 or 56 bits?

Fortunately, yes. Verisign and host of other credible providers offer 128 and even 256 bits encryption. For the day-to-day uses of banks and responsible companies managing web transactions, 128 bits should be more than enough, though.

You see, 128 bits of encryption represents a dramatic increase in complexity over mere 40 bits. If you’re good in math, you’ll be happy to learn that 128 bits SSL encryption has 300 spetillion times more combinations that 40 bits — again, that’s 300,000,000,000,000,000,000,000,000 times!

If your web site initiates 128 bits SSL connections with its users, you can estimate that for a hacker to breach one of your sessions, using the same “brute-force” approach as the one decribed earlier, it would take well over a trillion years. That more than enough for your users to feel comfortable with transfering their sensitive information over the web, with your company.

That’s also the main reason why Verisign, based in Mountain View, CA, is pushing so hard to get companies to secure their online properties with 128 bits and higher SSL encryption.

Some of the oldest browsers and operating systems can get in the way of a smooth experience of SSL encryption for some users who are unfortunate enough to be using proverbial dinosaurs to go about their computing tasks but for anybody using 2003-and-after technology, 128 bits encryption shouldn’t be a problem.

The reason why the bulk on online communications occur without encryption is mainly because of the weight it adds to unencrypted data. You see, a bit of data travels quite fast on the internet but wrap it with 128 bits of encryption and from a technical standpoint, it becomes 128 times heavier. So if “everything” on your web pages suddenly becomes 128 times heavier, that could seriously impact on the user experience, especially if he isn’t connecting to the internet using the faster pipelines like ADSL or cable.

For this reason, SSL encryption is generally limited for use in the sensitive zones of a web site, like the credit card checkout step, at the very end of the entire shopping process.

While you can get an SSL encryption key from a wide range of providers like Entrust, GlobalSign, GeoTrust, RapidSSL, MBNX, Comodo, Thawte and many others, a growing number of companies are looking for features like Server Gated Cryptography (SGC) which dynamically provide every site visitor with the strongest encryption available to them and Extended Validation (EV) SSL Certificates that turn the address bar green and allows viewers to experience new interface advancements, which are namely offered by Verisign.

In other words, the SSL encryption market is getting very competitive and the prices are lower now than ever before. Ultimately, a company can issue both SSL encryption keys itself, thereby completely circumventing the very need for an external provider -but- there’s the certificate integrity question being raised when such a practice occurs.

So, for most companies (especially the smaller ones), it’s more credible for the site visitors when a major SSL key provider garantees the very integrity of the system.

The bulk of information available online will never need SSL encryption since it’s intended for public use but for those more sensitive bits of information, companies can rely on either 128 bits or (for the hopelessly paranoid) 256 bits of encryption to keep their users safe from hackers, lurking in the darker corners of cyberspace.

Tags: ssl, encryption, 40 bits, 56 bits, 128 bits, 256 bits, secure, https, browsers, public key, private key

banner ad
 

Leave a Reply

Pubs
Beep.Name   All rights reserved © 2010 | Powered by Wordpress | Designed by Elegant Themes