Posts Tagged ‘ssl’

SSL: What is a secure site?

Monday, January 25th, 2010

When you go to most shopping sites, you get that little padlock in your browser to tell you that your session is, somehow, secure. But what does that mean?

What is SSL?
Secure Sockets Layer (SSL) provides two different services: encryption (preventing the traffic from being read in transit) and authentication (verifying that the site is who they claim to be). Although the term most commonly associated with SSL (“certificate”) refers only to authentication, people often see that as being synonymous with encryption instead. I’m going to explain why (and summarise how) it does both.

Why do we need them?
First, imagine the scenarios which SSL is intended to protect against. Let’s say there’s a user, Alice, who wants to buy a wig from Bob’s wig store. The most obvious risk is if an attacker, Eve, can somehow directly receive the traffic, e.g. through a poorly secured wifi access point. I’m going to call that scenario 1. The other (less common) risk is if Alice’s connection to Bob runs though one of Eve’s computers (because she controls one of the routers involved, or has provided false DNS records to Alice, for example), allowing Eve to alter the content arbitrarily. That’s scenario 2.

In scenario 1, the risk is that when Alice sends Bob her credit card details to buy a wig, Eve will note them down and use them to steal money. That’s bad for Alice, and even for Bob (who will probably be blamed). In scenario 2, Eve can still steal the card number, but she can also perform a more subtle attack, for example changing Alice’s request to deliver to Eve’s address and sending Alice back a page which says that the transaction failed. In that case, Alice and Bob will have every reason to blame each other.

So, the first thing to do is to stop Eve getting the card number – and that means encryption. Encrypted data is roughly analogous to a series of combination-locked boxes, of which Alice and Bob somehow both know the combination (and nobody else does). Alice can send boxes to Bob (and vice versa), while Eve can do nothing without knowing the combination. That would perfectly solve the problem, except that Alice and Bob still need a way to agree on a combination to use.

Since Alice and Bob don’t already have a mutually-known combination to use at the start, they have to use a slightly different approach called public key encryption. The basic idea is that there is a way for anyone to encrypt data that only Bob can decrypt. In the “boxes” metaphor, this would be latch-lock boxes that Bob gives to everyone he sees: you don’t need to know the combination to lock it, only to unlock it. That’s absolutely perfect for scenario 1: Bob sends Alice a latch-lock box; Alice sends it back with a suggested combination written on a piece of paper inside. This is roughly the security level you get with a self-signed certificate.

Unfortunately, scenario 2 is still a problem: Alice gets Eve’s latch-lock box, and Bob gets Eve’s suggested combination, making it no more secure than if no encryption has been used at all. This is where authentication comes in: Alice and Bob need to know they’re talking directly to each other.

For this, Bob makes a CSR (metaphorically a label saying “this is Bob’s lockbox”, firmly attached to each lockbox), and he gets someone they both trust, Charlie, to sign it (making a complete certificate). When Alice receives the lockbox, she knows that it’s Bob’s (or isn’t) based on whether Charlie has signed it as being so; Bob still doesn’t know he’s talking to Alice, but since Eve never knows Alice’s suggested combination, Alice will know that something is wrong when she doesn’t get a lockbox back which she can open with her combination. So, finally, Alice and Bob can be assured that they’re communicating in secret.

In terms of the practical implementation, Alice has already got knowledge of the Certification Authority (Charlie) because it came on her computer when she bought it, and what the certificate says is that the public key it contains is genuinely from the web site address that appears in her address bar.

Mixed Content Warnings
If you’ve built an SSL site before, you will probably have encountered this. If the browser loads some content over SSL, but loads some content unencrypted, it no longer knows whether all the content that the user perceives as secure actually is, and so issues a hard-to-ignore warning – this even extends to things like CSS (which can hide some text and add some of its own), so be sure that you don’t use full URLs for src= and href= if you’re running a site that you want to work on both HTTP and HTTPS.

Tags:
Posted in Your Business | 6 Comments »

Windows Reseller Hosting

Wednesday, January 7th, 2009

Heart Internet, the UK’s leading provider of Reseller Web Hosting is pleased to announce the launch of Windows Reseller Hosting.

Providing the flexibility and great features you would expect with Heart Internet, such as unlimited bandwidth and unlimited web space, Resellers can now offer their clients the choice of either Windows or Linux shared hosting.

Fully supporting ASP, ASP.NET, PHP 5, Perl & Ruby, Resellers will also be able to support their customer’s websites with MS SQL databases  coupled with a wide range of ready built ASP scripts including Form to email, blogs, CMS, website search and image galleries.

Heart Internet’s Reseller Package is just £29.99 per month and includes unlimited Linux websites. Windows hosting accounts including log files, graphical web statistics, ASP, ASP.net, .NET Framework, access database support, secure server (SSL), full email, FTP, sub domains and more can be added for just £10 each per year.

Resellers looking to use MS SQL can add 200 MB databases for just £10 per month, 50% less than our competitors.

Follow the link below to find out more about Heart Internet Reseller hosting:

http://www.heartinternet.co.uk/reseller-hosting/

Tags: , , , , , , , , , ,
Posted in Heart Internet, Web Hosting | No Comments »

Run an e-commerce store easily and safely with Heart Internet

Monday, July 21st, 2008

It’s never been so easy to start your own online store and start making money.

With £145million now spent online every day, there’s never been a better reason to start your very own online store.  We at Heart Internet are aware that not everyone has the skills to design and develop their own e-shop and put it online. If you’re looking to hire a development company to create the store for you, you could easily be looking at paying thousands of pounds for their service.

Every Heart Internet customer that is running a Home, Business or Reseller hosting package can easily install their very own e-commerce shop at no extra cost! Installation is simple and is controlled via your hosting control panel where you have four different stores to choose from. These include: ZenCart, osCommerce, Cubecart and AgoraCart. Once installed you can configure the store to your requirements and start adding products straight away. If our users ever need assistance then we always have our friendly support staff to help.

To give your customers added piece of mind when they order from your store, we give every Home, Business and Reseller hosting customer shared secure server access. With shared secure server access you can be sure that any sensitive data being sent with a transaction is encrypted and secure. For example, you would see a https:// (“s” meaning secure) instead of the usual http://

To accept credit cards online you need an Internet merchant account with a credit card provider. Please find below our recommendations of the best merchant account providers:

PayPal: www.paypal.co.uk
WorldPay: www.worldpay.co.uk
Protx: www.protx.co.uk
Google Checkout: http://checkout.google.com

If you’re looking to switch to Heart Internet or upgrade your account you can compare all of our fantastic hosting packages via the following page:
http://www.heartinternet.co.uk/comparison-h.shtml

Tags: , , , , , , ,
Posted in Heart Internet, Web Hosting | No Comments »