Posted by Jamie Boote on May 31, 2017
In the world of data security, a critical element of working with users is earning their trust. Obtaining, implementing, and properly using an SSL certificate is one way to protect user data. Without a certificate, there is also no easy way to keep the communications between the user and an eCommerce website private from attackers.
Encryption protects data and keeps secrets out of reach from eavesdroppers. It seems like the stuff of movies and television dramas. It’s often portrayed in the media as some impenetrable obstacle that can’t be overcome without keys. Or, as an easy challenge to solve with rapid typing and a few progress bars.
We encounter encryption all the time on the web. Websites and web browsers are configured to allow for Secure Sockets Layer (SSL) which creates an encrypted link that prevents an attacker from listening in on the traffic and understanding what data is going back and forth. When communicating over an SSL link, a user’s credit card number, social security number, password, and other sensitive information can all safely pass right under an attacker’s nose.
When creating an encrypted SSL link, the first step that a user’s web browser takes is to verify that the website on the other end of the connection is who it says it is. Neglecting this first step can lead to a man-in-the-middle (MitM) attack. MitM attacks allows an attacker access to encrypted data by inserting themselves into the middle of the link.
Without a certificate to validate the website, a user might mistakenly connect to an attacker instead. The attacker then completes the loop by creating an encrypted connection to the website and pretends to be the user. Despite the idea that an attacker shouldn’t be able to read the data because it’s encrypted end to end, the connection shenanigans allow the attacker to decrypt data as it moves to and from the website by sitting in the middle.
An SSL certificate can prevent MitM attacks by ensuring that the user’s web browser connects to a legitimate website. This works through trust delegation. The website provides the browser with a certificate issued by a trusted certificate authority. Only then does the browser trust the website.
There are a handful of certificate authorities. Common browsers support most of these. Occasionally, a browser will remove a certificate authority if it deems it to be untrustworthy.
Just as not all certificate authorities are the same, not all certificates are the same. Here are several certificate varieties:
If an attacker pretends to be the website, and lacks a valid certificate, the user’s web browser won’t establish a trusted connection. The browser will also issue a warning to the user cautioning them to be wary of the site.
If your eCommerce website isn’t creating encrypted connections, your customers might not see warnings about untrustworthy SSL connections. However, there may be other warnings. For example, Chrome displays an alert whenever the user is about to send sensitive information or passwords over an unencrypted connection. Without encryption, an attacker might be able to read passwords, credit card information, and other sensitive information the user also sends to the website.
SSL certificates and connections make it easy for eCommerce sites to protect sensitive data. If your website is not currently using encrypted connections, you are putting your customers at risk. SSL certificates are inexpensive and pay for themselves many times over by preventing lost business and data breaches.
Get the latest AppSec news and trends sent directly to you.