SSL is an acronym for Secure Sockets Layer. SSL protects transmissions over the World Wide Web from spectators by encrypting the data while it gets transmitted over the Internet. SSL works through a certificate that authenticates a certain domain. With this certificate, secure transmissions on the server are "certified" and valid. Both Netscape Navigator and Internet Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers. Web pages that require an SSL connection start with https: instead of http:

How does SSL work?

SSL currently comes in two flavors: 40 bit and 128 bit encryption. The 40 bit encryption method is used for browsers outside the United States and the 128 bit version is available to users within the US. The bit numbers simply designate the level of encryption being used. For example, the 40 bit encryption key has 2 to the 40th power number of combinations (or 1,099,511,627,776) different key combination possibilities. The only real way to crack an SSL document is by using brute force-manually trying every combination until you hit upon the correct one. Needless to say, this is extremely time consuming! One of the first crack examples done used a network of 120 computers running parallel processes and took eight days to search half the keyspace. RSA Data Security (www.aus.rsa.com/) offered a $1000 reward for breaking the code, and a graduate student claimed to have done it in three and a half hours. He was also using 250 computers in tandem. The 128 bit code for US residents is even more difficult to break.

We use 56-128 bit SSL on all of our servers.

We do not currently support using SSL with FrontPage.

Why Use SSL?

SSL makes purchasing online more secure than buying at a physical retail store. For the most part, when you open a secure connection to an e-commerce site, you are using SSL encryption. Whatever information you send is encrypted (garbled in a specific way that can be interpreted on the receiving end.) The secure server then keeps that information encrypted so no one can get access to your private information. In some cases, retailers and banks even transfer that information to a server that is not connected to the Net at all.

An important note here is that e-mail servers are generally not secure, so you probably do not want to take credit card orders by e-mail. You must announce to a customer beforehand if you are not using a secure server to collect sensitive or personal information.

Hackers use programs that "sniff" out information, often using pattern-matching to find obvious patterns such as credit card and Social Security numbers. But if your credit card is encrypted, it looks like a very long string of letters and numbers instead, so the sniffer cannot find it.

Many people seem to be hesitant to shop online because they believe it to be less safe. However, the protection offered by SSL means that your credit card number will be seen by far fewer people than if you use it at a store. When you make a purchase at a physical store, there is a trail of paper left behind, containing your number in its entirety. If it falls into the wrong hands, that person can enjoy themselves at your expense. How much do you trust the waiter that takes your credit card at the restaurant? How much time would it take to copy down your credit information? On the other hand, when you shop online, the only person(s) who will see your personal information are those who are actually processing your payment.

How Do I Upload To My SSL Server?

The order form and other files you want secure need to be uploaded via FTP, Here are the steps:

1. FTP to your Redglue server as discussed in your Welcome Letter

2. Change directories via FTP to this directory:
--> yourdomain.com/SSL/

3. Upload your order form and secure files.

How do I access my secure files once they are uploaded?

Secure files are accessed by typing "https" instead of the regular "http." This means that the HTML link from your regular site to your secure site needs to use a "https" instead of a "http." So if website is www.fastcar.com and your secure form is called "order.html," the link to the secure form would look like this:
--> https://www.fastcar.com/order.html

Can I use Email for secure transactions?

Email is by nature unsecure, due to the fact that it transmits data through a mail server (not a secure server.) The form asks for information and then sends that information on through a mail server to the vendor. There are some rather technical ways around this if you wish to use Email to capture sensitive information. However, it is not recommended at this time.

Other Resources

Where can I get a "management overview" of SSL and web security?

• Netscape's Public Key Cryptography
• Certificates and Digital IDs
• Network Security Solutions

• SSL 3.0 Technical Specifications
• Public Keys Guide