SSL
Cookies
Certificates
Encryption
Trusting the Web

THE INTERNET is comprised of millions of computers on a public network. Because the nature of such public networks is inherently non-secure, web designers and individual users should regard security protocols as a basic requirement. Data makes several stops on many different servers while in route from sender to receiver, and each of those servers can access the data if proper security measures have not been taken. Thus, it is important to secure your sensitive documents, credit card information, for example, when sending them across a network.

Using encryption technology, key certificates, and SSL (Secure Socket Layers) can reduce the risk of eavesdropping, manipulation, and impersonation almost entirely. There are also other firewall protections you can set up for your Intranet and/or virtual private network to control access and data integrity. The individual user can add security to their systems by making use of certain encryption technology, setting cookie preferences, upgrading their web browsers regularly, and knowing what security features to look for while surfing the web.

Evaluate your current web browser for security features. Go to the web site of the browser manufacturer. Make sure you have the most recent version of the web browser available. Discoveries of security flaws are one of the most significant reasons why companies issue upgrades of their product. If you do not have the most recent version, both Netscape and Internet Explorer offer free web browsers available for download from their web sites and both are well equipped with the latest in security technology. If you decide to go with a free download, the standard installation will usually give you maximum security settings automatically.

If you want to check your own security preferences, the security settings within your web browser are typically found in the "options" or "preferences" menu and are usually labeled as such. This section will allow you to manage the security features of the browser by choosing cookie settings, personal certificates, and site certificates.
 
SSL
SSL is truly a breakthrough in security technology. Netscape, the inventor of SSL, is widely recognized as the leader in Internet security technology, and that is one of the reasons why we encourage our clients to use Netscape products. SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL provides data security layered between application protocols such as HTTP, Telnet, NNTP, or FTP and TCP/IP.

SSL is an open, nonproprietary protocol, and Netscape encourages web developers to use the technology liberally, in order to make the Internet a more secure network. You can quickly tell if you are on a web site that is using SSL security by looking at your location bar. Web pages that are SSL based all begin with https://, followed by the web address. Other, non-secure environments, begin http://, followed by the web address.

Most web sites are not operating on SSL ports because security is not necessary. These sites typically contain educational information, product specs, corporate messages, etc. Only web pages that request you fill out and submit a form containing private or sensitive information like your credit card number, need to be secured. It is very important that web users know to skip online forms that are not in secure environments. Look for the "s" added to http in the location bar before giving out your credit card information. Many web sites will tell you when you are passing between secure environments and non-secure environments, and you can set most web browser to notify you of this change as well.
 
Cookies
Cookies are small data structures that contain user information, delivered by a web site to the web client. Cookies remember user data and are often used to facilitate the users preferences to a particular site. For example, Amazon.com, an online bookstore, uses cookies to store your personal information so that each time you login to their site to place an order, the screen will display your name and a list of suggested books you might consider purchasing based on your previous ordering history with their company. While this may seem eerie to some web shoppers, Amazon.com uses this data collection feature very responsibly by providing secure connections and having the cookie data returned only to the site when you log off, therefore you are not at risk of another computer accessing the data. Most recent versions of popular web browsers give several choices for notifying the user when cookies are being set. We recommend that you select "Send Cookie Information to the Issuing Web Site Only" feature for maximum security. If your browser does not give you this option, either upgrade or select the "Notify Me of All Cookies before Accepting" feature. This will at least allow you, the user, to decide whether or not you feel the site you've visited is trustworthy before allowing any information to be stored.

Most of the time, cookies are used simply to facilitate repeat visits to password protected web sites, to give the user tools that are needed to operate certain web sites, and to collect representative samples for web statistics. All of these uses are legitimate, however, you should take responsibility for choosing which sites you will allow to store this information. More educated web surfers lead to better web security for everyone. Cookies store their information on your hard drive, but cannot read information off your hard drive. They can collect any information that is volunteered by your web browser. They cannot collect information that is protected in your "preferences" settings. Most cookies expire at the time you leave the web site, and are designed so that no one other than the issuing web site can read or make use of them. Cookies are quickly becoming standard and are relatively safe. Formal cookie specifications for programmers are being drafted by Internet Engineering Task Force's HTTP Working Group for official recognition and will help standardize programs for safe cookie exchanges.
 
Certificates
Certificates are data files with specific pieces of information, namely 1) a distinguished name describing the certificate holder, 2) the certificate holder's public key, 3) the certificate authority who issued the certificate, and unique certificate information such as serial number, expiration date, and digital fingerprints. Certificates are used to authenticate servers and users by matching key pairs to verify that they are who they say they are, thus preventing impersonation on the web.

Certificates are also called digital ID's. Digital ID's and certificates are issued by independent third party security firms, Verisign being the most prominent, to certify that particular servers and individual users are operating on secure platforms. Used in conjunction with encryption, certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction. It is imperative that any web development company hosting online credit card facilities be issued such digital ID's for their secure servers. Do not trust web pages asking for private information that are not secured with digital ID's and make use of SSL. It is important that individual users know to look for security certificates when entering sites that may ask for sensitive and private information. You can click the security key icon in the lower left corner of your browser window, or select "Document Info" from your main browser menu to view the security of each document you select.

Digital ID's can be used in a number of applications. Most commonly, digital ID's are used for authentication of secure servers conducting online commerce. However, EFT's (electronic funds transfers) all use digital ID's, smart cards, groupware products hosted on intranets now use digital ID's, and law firms have started using digital ID's for email to make them legally admissible in court. Anyone can purchase a digital ID for personal use for about $300.00.
 
Encryption
Almost all popular email programs support a protocol called S/MIME (Secure/ Multipurpose Internet Mail Extensions) which has become the industry standard format for sending secure email over the Internet. S/MIME adds digital signatures and encryption automatically to your emails, given you use these features. If your email program does support S/MIME, it's time to upgrade. Email applications such as Outlook Express (Internet Explorer), Netscape Messenger, Deming, Frontier, Eudora, Opensoft, Pre-Mail, and Connectsoft all support S/MIME.

Encryption scrambles the content of your message in a way that only the intended recipient can unscramble when the document is viewed. Signatures require digital ID's and show that the message was not tampered with en route. If you use a Netscape browser, you can tell if you have received a signed or encrypted email by looking at the icons in the upper right corner of the window. The words "Signed" and/or "Encrypted" will appear along with an icon of a padlock. You can click the padlock icon to receive more security information about the document. If you use Internet Explorer, signed email messages will appear in your inbox with a red ribbon on the envelope icon, and encrypted message will have a padlock on the envelope icon.

Combining both signature and encryption protocols ensures the most security. Signatures alone will verify that the message came from you but will protect against third party monitoring. Encrypting alone will protect the content of your message from being read by third parties, but will not verify that you sent it. PGP is the most widely used encryption device and Verisign's Digital ID for email is the most commonly used signature service. To send a message with a signature, you must have a digital ID and the recipient must have a S/MIME enabled email program, and to use encryption, you must have the recipients digital ID in order to scramble the message in a manor which they can unscramble.
 
Trusting the Web
The Internet is a new frontier for commerce. Web developers have worked diligently for the past five years to improve security and create a commerce-safe environment for web surfers. For the most part, they have been successful in accomplishing that goal. As a user, you can take precautions to greatly protect your personal information, but the bottom line remains- you also have to trust the recipient of your personal information. Just as you have to trust a merchant to not distribute your credit card information, you have to be willing to trust the web firm that operates the receiving server before you enter a commercial transaction. Security technology goes a long way in protecting you from the evils of Internet routing, but it cannot protect you from unscrupulous and incompetent people.

We encourage people to learn about Internet security and the risks associated with online commerce. More information can only lead to better decisions, and if you are not comfortable entering personal information on the web, then you should do not do it. Almost all order facilities have links that will take the viewer to the hosting companies web site (not necessarily the company your are purchasing from) where you can learn more about the reputation and security features of the web developers who made that order form. To learn more about your own personal security features, go to the web site of manufacturer of your browser and read their published White Papers. These publications will get more detailed about the specific product you use.

Return to the Resources Index

Use this Javascript menu to access any section of the site. Or if you prefer, you can use the site map.