SSL: Secure Sockets Layer – AKA Secure Web Servers
What it all means to you
Web browser: “How do I know you’re who you say you are, Mr. Big Bank? You have any ID?”
Mr. Big Bank: “As a matter of fact, I do, young fella. Here is my security certificate, you’ll notice that it matches the one that was issued to me by VeriSign.”
Web browser: “OK I’m in a hurry, give me the secret code so I can do my business go back to working on my AntiFacebook page. What’s the password to get in?”
Mr. Big Bank: “Hang on there, buster. Don’t worry! I’m am going to send you a special decryption key you can use to decrypt my super-encrypted transmissions. But remember, it’s only good for this one session. So tell that bozo pushing your buttons that if he closes you while we’re in the middle of things, we’ll have to go through all this again. Frankly, it’s a lot of work for me.
Web browser: “It’s a lot of work for me too. So gotcha! Let’s get started. Send away.”
(Remember computers talk very rapidly, since they only have two words in their vocabulary – zero and one. So the above conversation takes less than a second in computer language. We had a heck of time translating zeros and ones into English. And I suppose not good English at that. Right, Mrs. Ralston? )
The above is a little light-hearted version of what happens when you go to a secure site to make a purchase, pay bills or go to a site where sensitive information is exchanged like your Social Security number, credit card numbers, bank account numbers, home address, telephone number, etc. Names and email addresses are not considered sensitive data by most people or web sites.
Whenever you enter any sensitive information make sure your browser’s address bar displays https:// and not http:// – . You’ll see a little lock next to the URL (the web address). By the way, did you know if you click on that lock (which tells you you’re on a secure server) you’ll get the trust mark – which tells you the name of the company that issued the site’s SSL certificate?
Almost all secure sites are protected with 128 bit encryption. At current computing speeds, a hacker with the time, tools, and motivation to attack using brute force hacking tools would require a trillion years to break into a session protected by 128 bit encryption. Not many people live a trillion years. Considering the earth is only about 5 billion years old and the universe is thought to be between 13 and 15 billion years, no one’s yet had a chance to try to live a trillion years, so your data’s pretty safe.
Here’s why encryption is so important. If you login a site that is not on secure server – SSL (Secure Sockets Layer), there’s a very slight chance that someone sniffing web traffic to and from that server could intercept your password and username, and if all that you’re doing is logging to a social networking site, or logging onto a forum, you don’t have a lot to worry about.
Number One: There’s nothing of value (money or sensitive information) for anyone to bother sniffing web traffic on these kinds of sites. That’s not to say that there are not some low-level creepers who might do it, but generally you shouldn’t worry if Facebook is on a secure server or not because you should NEVER be putting any sensitive information on a social networking site anyway!
Now your email is another matter. Hotmail, Yahoo Mail, and Gmail login pages are all on secure servers. Why? Because your email may (and probably does) contain personal information. So any hacker sniffing traffic to Gmail, Hotmail, or Yahoo Mail, better settle in for a trillion years.
But most passwords, credit card numbers, and other sensitive information isn’t stolen by hackers sitting in a dark basement in Hachicoo, Alaska. It’s given to them voluntarily by YOU. That’s right. Those of you who click links in email supposedly from your bank or some other site that requires sensitive information, can bet that:
1. The site won’t be on a secure server (https://)
2. The site will look exactly like your bank, store, or other payment center.
3. If you fill in the login information, you’ve just given the criminals your password and username for the real site.
4. As soon as you click “Submit” your information is being transported to some criminal in a cellar somewhere in Romania, and you’ll be redirected to a page that says “Error” please retry.
5. You are probably in for big, big trouble.
Regardless of the hype propagated by companies that sell firewalls, please remember that firewalls don’t protect you from getting your credit card and other sensitive information stolen, your brain does. It’s deceitful for firewall companies to claim their firewall can protect your credit card numbers, social security address and other sensitive information, when over 95% of all data that is stolen is voluntarily given to the criminals by the user him or herself.
Whenever you are entering sensitive information on any web site, look at your browser’s address bar – and if it says https:// and you see a little lock icon next to it, you can trust that whatever data are being transferred to and from your computer and that server is encrypted in such a way that no hacker anywhere is going to be able to snatch it.
Every secure session uses a different encryption key. So when you end that session, that encryption key is no longer valid. That’s another protection that secure servers offer – and that should make you feel more comfortable when entering information.
Two more things:
1.) If all you are entering is your name and email address, that’s not considered sensitive information. Not all sites that ask for your name and email address are going to be on secure servers because there’s just no good reason for it and SSL certificates are expensive and running secure servers is more costly. So don’t run scared if you’re signing up for a forum for knitters and you look up and see no https:// . OK?
2.) Your accounts are only as secure as your password. Your password is the key you use to enter your account. It doesn’t matter how secure the server is if your password is weak. Please don’t use weak passwords.