Securing Your Web Storefront with an SSL Certificate | Electronic Commerce (Charles River Media Networking/Security)

As previously explained in Chapter18, a proven, low-cost solution to secure online transactions is available today. SSL certificates have earned the trust of businesses world-wide, including virtually all of the Fortune 500 companies on the Web and all of the top 80 e-commerce sites. To date, over 854,000 SSL certificates have been issued. This part of the chapter continues the discussion that was started in Chapter 18 by describing in detail how SSL certificates work to make online transactions secure.

Presenting Your Credentials via an SSL Certificate

An SSL certificate, also known as a digital certificate (see sidebar, “How Digital Certificates Work”), is the electronic equivalent of a business license. SSL certificates are issued by a trusted third party, called a Certification Authority (CA). The CA that issues an SSL certificate is vouching for your right to use your company name and Web storefront address, just as the office of the Secretary of State does when it issues Articles of Incorporation. CAs can also issue digital certificates to individuals.

Before issuing an SSL certificate, the CA reviews your credentials (such as your organization’s Dun & Bradstreet number or Articles of Incorporation) and completes a thorough background checking process to ensure that your organization is what it claims to be, and is not claiming a false identity. Then, the CA issues your organization an SSL certificate, which is an electronic credential that your business can present to prove its identity or right to access information (see sidebar, “How Digital Certificates Work”).

An SSL certificate from the CA provides the ultimate in credibility for your online business. A CA’s rigorous authentication practices set the industry standard. The CA documents its carefully crafted and time-proven practices and procedures in a Certificate Practices Statement. And, the CA annually undergoes an extensive SAS 70 Type II audit by KPMG.

Note

The Statement of Auditing Standard 70, SAS 70, was established by the American Institute of Certified Public Accountants to certify trusted practices.

Employees responsible for dealing with certificates undergo complete background checks and thorough training. The CA has achieved its unsurpassed reputation as a trusted third party by paying as careful attention to physical security as electronic security. For example, a company’s 22,000-square-foot plant where keys are issued has five tiers of security, the last three requiring fingerprint identification.

How Digital Certificates Work

In physical transactions, the challenges of identification, authentication, and privacy are solved with physical marks, such as seals or signatures. In electronic transactions, the equivalent of a seal must be coded into the information itself. By checking that the electronic “seal” is present and has not been broken, the recipient can confirm the identity of the message sender and ensure that the message content was not altered in transit. To create an electronic equivalent of physical security, some vendors use advanced cryptography.

Throughout history, most private messages were kept secret with single key cryptography. Single key cryptography is the way that most secret messages have been sent over the centuries. In single key cryptography, there is a unique code (or key) for both encrypting and decrypting messages. Single key cryptography works as follows:

Suppose Bob has one secret key. If Alice wants to send Bob a secret message:

Bob sends Alice a copy of his secret key.
Alice encrypts a message with Bob’s secret key.
Bob decrypts the message with his secret key.

Unfortunately, this method has several problems. First, Bob must find a secure method of getting his secret key to Alice. If the secret key is intercepted, all of Bob’s communications are compromised. Second, Bob needs to trust Alice. If Alice is a double agent, she may give Bob’s secret key to his enemies. Or, she may read Bob’s other private messages or even imitate Bob. Finally, if you have an organization with people who need to exchange secret messages, you will either need to have thousands (if not millions) of secret keys, or you will need to rely on a smaller number of keys, which opens the door to compromise.

SSL certificate technology employs the more advanced public key cryptography, which does not involve the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, an SSL certificate uses a matched pair of keys that uniquely complement each other. When a message is encrypted by one key, only the other key can decrypt it.

When a key pair is generated for your business, your “private key” is installed on your server; nobody else has access to it. Your matching “public key,” in contrast, is freely distributed as part of your SSL certificate. You can share it with anyone, and even publish it in directories. Customers or correspondents who want to communicate with you privately can use the public key in your SSL certificate to encrypt information before sending it to you. Only you can decrypt the information, because only you have your private key.

Your SSL certificate contains your name and identifying information, your public key, and the CA’s own digital signature as certification. It tells customers and correspondents that your public key belongs to you^[2].

A CA’s rigorous authentication practices, leading-edge cryptographic techniques, and ultrasecure facilities are designed to maximize your confidence in the CA’s services. These practices, technology, and infrastructure are the foundation for SSL certificates to secure transactions working in conjunction with your Web storefront server.

Simplifying Management of Multiple SSL Certificates

Is your site hosted on 10 or more servers? As previously explained in Chapter 18, with one simple purchase, a managed PKI service lets you issue all the SSL certificates you need (either standard or universal 128-bit SSL certificates) in bundles of 10, 25, 50, 100, or more. A convenient one-step purchasing process lets you take advantage of a single purchase order, and volume discounts make managed PKI the most cost-effective way to secure big sites. Managed PKI is simple to set up and configure: start issuing server certificates quickly via a CA intuitive Web storefront-based process. Renewing IDs or buying additional IDs is just as easy.

Learning More About Your Customers Through Client Authentication

An SSL certificate tells your customers exactly who you are. Suppose you want to learn who your customers are, or to restrict access to your content to certain consumers. You can set up your Web storefront site to authenticate visitors’ identities with SSL certificates for individual users. Compared to asking customers to supply a user name and password, SSL certificate registration is more convenient for customers and more informative for your business.

Deploying Strong Security for Worldwide Commerce

Until recently, strong 128-bit encryption was not exportable. The United States Department of Commerce has approved the issuance of certificates for 128-bit encrypted communications—the highest level of encryption ever allowed across United States borders. With a 128-bit Global Server ID, your 128-bit customers can now enjoy unparalleled security when visiting your Web storefront site. The Global Server ID is a septillion times more secure than any other product.

Facilitating Payments with Payment Services

Extending a business to the Web and opening an e-commerce storefront requires merchants to master many tasks—not only Web storefront site development and design, but also maintaining the confidentiality and security of consumer data and accepting and processing payments. A CA can take the headache out of payment processing by managing a secure, reliable, and low-cost solution for accepting payments.

CA payment services provide the ideal payment transaction platform for merchants who want to conduct business on the Internet. Regardless of your business’s size or demands, a CA can deliver the right solution: a fast, scalable, and reliable Internet payment platform that enables companies to authorize, process, and manage multiple payment types. Payment services bring affordability, flexibility, and convenience to Internet payment processing by combining a flat-fee monthly pricing model with a growing menu of services and solutions for merchants, financial institutions, resellers, and developers.

For example, VeriSign’s Commerce Site and Commerce Site Pro Services combine SSL certificates with the VeriSign Payflow Pro service to form a complete, integrated solution that’s ideal for e-merchants and online stores. Commerce Site includes a 40-bit SSL certificate and Payflow Pro, plus additional value-added services. Commerce Site Pro also includes a 128-bit SSL Global Server ID and Payflow Pro, plus value-added services.

Payflow Pro is designed especially to help Web storefront merchants securely accept and process credit card, debit card, purchase card, and electronic check payments. Payflow Pro is a versatile solution for online payment processing, and is ideal for large-scale, e-commerce merchants that require peak performance and complete customizability. Payflow Pro enables payment processing through a small SSL TCP/IP-enabled client that controls communications between merchants’ applications and the Payflow platform. Designed for scalability and reliability, Payflow Pro creates a dedicated SSL TCP/IP-level communication thread for each transaction between the client and the server. Payflow Pro is downloadable as a Software Development Kit (SDK) or comes preintegrated with most shopping carts and e-commerce platforms. Up to 5,000 transactions are included.

Step-By-Step Instructions

In one to three days, after the CA has verified your credentials, you will receive your SSL certificate via e-mail. Simply install the SSL certificate on your server, and then immediately begin conducting transactions online—with the confidence that you and your customers are protected.

As previously mentioned, the U.S. Department of Commerce requires your company to qualify before buying the 128-bit SSL encryption power of Global Server IDs. All companies within the United States are eligible for Global Server IDs. The U.S. government determines the categories of companies that can implement the powerful 128-bit SSL encryption technology of Global Server IDs outside the United States and across U.S. borders. New regulations make Global Server IDs available to a wider group of customers than ever before. Any company or organization around the world may purchase a Global Server ID, with the following exceptions: persons listed on the U.S. government’s Denied Person’s List, and customers located in Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Before You Begin

Before beginning a CA’s online enrollment, check to make sure you are ready to proceed by preparing the following.

Installing Server Software

Nearly all brands support the CA’s 40-bit SSL certificates. The server on which the 128-bit Global Server ID can run server software from any non-U.S. software vendor, or software from a U.S. software vendor properly classified by the U.S. Department of Commerce, including:

Apache-SSL
BEA WebLogic
C2Net Apache Stronghold
Compaq/Tandem iTP Webserver
Covalent Raven
Hewlett Packard Virtual Vault (with Netscape Enterprise)
IBM http Server/Webphone
iPlanet Servers
Lotus Domino
Microsoft IIS
Mod-SSL
Nanoteq Netseq server
Netscape Suite Spot servers, including Netscape Enterprise and Netscape Proxy Server
O’Reilly WebSite Pro
Red Hat Professional
Zeus^[2]

Registering Your Domain Name and Confirming Firewall Configuration

If you haven’t already, register your URL at: http://www.networksolutions.com/en_US/index.jhtml;jsessionid=ZUVPWFYO2XNEMCWLEAKSFEQ?requestid=492631 or a local equivalent. SSL certificate enrollment requires that you can make both HTTP and HTTPS connections to a CA’s Web storefront site.

Preparing Payment

If you are applying for a free, 14-day trial SSL certificate, no payment is necessary. If you are purchasing a one-year, full-service SSL certificate, you can pay with a purchase order, check, wire transfer, or an American Express , Visa , MasterCard , or Discover card.

Reviewing Legal Agreement and Gathering Proof of Right Documents

In the process of enrolling, you will need to sign a Secure Server Subscriber Agreement. Before issuing your SSL certificate, the CA must confirm that your company is legitimate and is registered with the proper government authorities. If you have a Dun & Bradstreet DUNS number, simply supply your number. International DUNS numbers must be in the Dun & Bradstreet database for at least two months before a CA can verify the information. If you do not have a DUNS number, either go to http://www.dnb.com/us/ and apply for one, or submit a hard copy of at least one of the following filed documents for your company: articles of incorporation, partnership papers, business license, or fictitious business license. All documents must be in English.

Selecting an Option for Obtaining Payment

Collecting credit card payments (in person or via the phone or Web) always involves two steps. First, obtain the credit card number from the customer. Second, secure payment from an acquiring processor on behalf of the credit card issuing bank. When your business uses an SSL certificate to obtain billing information from your customers, you have two options for collecting payments from the acquiring processor: traditional phone-in or online processing. You are now ready to obtain your SSL certificate (see sidebar, “How to Obtain Your SSL Certificate”).

How to Obtain Your SSL Certificate

To complete your SSL certificate enrollment, please visit one of many sites, for example: http://www.verisign.com/products/site. There, you will be instructed to complete the following steps.

Generate Certificate Signing Request: Follow the instructions in your server software manual, or online at http://digitalid.verisign.com/server/enrollStep3.htm, to create a Certificate Signing Request (CSR) and a key pair. After the server software creates the two files, make backup copies of them on a floppy disk, and store the disk in a secure location. This is important: if your private key is lost, the CA will not be able to recover it for you.
Submit the Certificate Signing Request (CSR) to the CA: Open the CSR file in a text editor, such as WordPad, Notepad, or Textpad. Do not use a word processing application such as Microsoft Word or Adobe FrameMaker. Select the text in the CSR, beginning with and including:

—-BEGIN NEW CERTIFICATE REQUEST—-

and ending with

—-END NEW CERTIFICATE REQUEST—-

Copy and paste the CSR into the CA online enrollment form for the trial or the one-year subscription. Click the Submit button.
Complete application: Fill out the online application form with information about your company and contacts. The technical contact must be authorized to run and maintain your secure Web storefront server and must be employed by your organization. If you access the Web storefront through an Internet Service Provider (ISP), the ISP may complete the CSR for you and serve as the technical contact, and you can then enroll. If your ISP does not offer CA IDs, refer it to www.verisign.com/isp/index.html for information about VeriSign’s Secure Site ISP Program.

The organizational contact must be authorized to make binding agreements, such as the Secure Server Service Agreement, and must be employed by your organization. It is best to select a different person from the technical contact.

The billing contact will receive invoices. This can be the same person as the technical or organizational contact.
Authentication takes 1–3 days: Within a few hours of receiving your application, the CA will send a confirming e-mail to your technical and organizational contacts. The e-mail will include a URL where you can check the status of your application, as well as a Personal Identification Number (PIN) that you will need to view the status. If the information you submitted is complete, your technical contact and organizational contact will receive your SSL certificate by e-mail in 1–3 working days.
Install your SSL certificate: When you receive your SSL certificate, make a backup copy of it and store it on a labeled floppy disk, noting the date you received it. Store the floppy disk in a secure place. To install your SSL certificate, follow the instructions in your server software documentation for digital certificates.
Enable SSL on your server: Consult your server software manual to enable SSL. The process should take approximately five minutes.
Post the Secure Site Seal on all your secure pages: You should receive a file of the Seal, complete with instructions on how to install it, via e-mail shortly after completing the enrollment process. You can also find downloadable Seal files and instructions at http://www.verisign.com/seal/secure/install.html^[2]

Note

SSL imposes some performance overhead. Therefore, most server software applications allow you to apply SSL selectively to Web storefront pages that require encryption, such as payment pages. There is no benefit from applying SSL to product information pages, for example.

Options for Obtaining Payment

Congratulations! You can now offer secure transactions to your online customers.

Traditional Phone-In

If your business already collects credit card payments from person-to-person or telephone sales, you are probably using this method currently. Simply read each customer’s card number from your Internet order form and transmit it to the processor using a point-of-sale (POS) terminal.

If your business is not yet set up to collect credit card payments, contact a merchant services company, such as First Data Corporation Web Info. Merchant service companies generally charge a nominal setup fee, also called an underwriting fee, and then charge a percentage of each transaction.

Online Processing

Most leading credit card processors offer their merchants the option to collect payments online. The payment-enabling software needed for these transactions depends on the system that the credit card service provider uses. For example, Payflow^SM Payment Services provide high-quality, low-cost payment connectivity between buyers, sellers, and financial networks. Payflow services bring the Internet’s “anyone-to-anyone” ease of connectivity to the payments industry. By using Payflow, a merchant can connect to any bank, transaction service, or form of payment without worrying about the underlying technology. Customers can pay with a variety of financial instruments, including checking accounts, savings accounts, and credit cards, quickly and simply.

Now, let’s look at how to establish trust to protect and grow your online storefront. In other words, in light of the risks associated with electronic commerce and online communication, it is imperative to not only use secure encryption technology when conducting online business, but to also be able to prove one’s identity and develop trust relationships with customers and partners.

Building online trust relationships with partners and customers involves being authenticated by a trusted third party and receiving an authenticated SSL digital certificate that is signed by that trusted third party. Encryption, the process of transforming information to make it unintelligible to all but the intended recipient(s), forms the basis of data integrity and privacy necessary for online business. Without authentication, however, encryption technology does not sufficiently protect online users. Authentication must be used in conjunction with encryption to provide:

Confirmation that the organization named in the certificate has the right to use the domain name included in the certificate
Confirmation that the organization named in the certificate is a legal entity
Confirmation that the individual who requested the SSL certificate on behalf of the organization was authorized to do so^[1]

There is a distinction between authenticated (“high-assurance”) certificates, which provide trust and security, and unauthenticated (“low-assurance”) certificates, which threaten consumer confidence and online security. In addition to using encryption technology, it is vital that your Web storefront is authenticated, which will improve Web visitors’ trust in your Web storefront and in your business.

When you establish your secure Web storefront, you can take advantage of a wealth of options to further enhance your e-commerce operation. You can display the number-one trust brand on the Internet (Cheskin/Studio Archetype) to give your customers the confidence to communicate and transact business with your site. A seal allows your visitors to check your SSL certificate’s information and status in real time, thus increasing their trust in your online storefront and increasing your sales and revenues.

Increased trust in the safety of online transactions has numerous benefits, of which increased revenue and profitability are the most important. There are real challenges (and significant opportunities) for online storefronts to deliver the same level of trust and personalization over the Internet as is offered by brick-and-mortar storefronts.

Nevertheless, until recently, most SSL certificates could be categorized as medium- to high-assurance certificates, providing three security services: confidentiality, authentication, and integrity. Digital certificates uniquely identify individuals and Web storefronts on the Internet and enable secure, confidential communications. Unfortunately, some providers of SSL certificates have elected to provide unauthenticated or low-assurance SSL certificates in order to lower costs and accelerate order fulfillment. This conflicts with generally accepted industry practices, erodes customer confidence, and serves as a source of confusion for Web storefront visitors.

“Low-assurance” SSL certificates provide confidentiality and integrity, but lack authentication. In the past, the lock icon in the users’ browser was perceived to be a reliable sign of authentication. Now, users are forced to examine the SSL certificate itself to distinguish between a high-assurance, authenticated certificate and a low-assurance, unauthenticated certificate.

If, for example, a user intends to securely communicate with a Web site bearing an SSL certificate with the organization name “ABC Inc.,” the user is compelled to check whether the certificate is authenticated by a third party. The SSL certificate intends to convey assurance that the visited Web storefront (http://www.abc-incorporated.com) is definitely an “ABC Inc..” Web storefront and that it is not another entity pretending to be ABC Inc., trying to trick Web site visitors into doing business with them. Only through rigorous authentication can a company prove to its customers and partners that its Web storefront is authentic and has the right to use the domain name presented on the certificate.