How can I conduct secure transactions online?

SSL and e-commerce

E-commerce can involve any or all of the processes of selling goods, buying goods, making payments or receiving payments. For all of these activities, a secure environment is essential so that funds and customer information can be exchanged with confidence.

For Web-based businesses, the most popular choice remains Secure Sockets Layer (SSL), which provides an easy means of protecting data being transferred between a browser and a website. A key reason for SSL's popularity is that it is supported in most popular Web browsers, meaning customers don't need any additional software.

Sites that use SSL often use a password to log users in, but that password information and all subsequent data are sent via a secure SSL session. The session provides an encrypted channel for all data sent between the user and the website.

SSL actually uses the same public key cryptography model as PKI. Each site using SSL will have a public and private key associated with it. These will be queried by the web browser when the secure site is accessed.

In most cases, SSL is virtually transparent to the user. Their browser may display a warning message to tell them they are beginning or ending a secure connection, and a small padlock might appear in the bottom right-hand corner of the screen. (Website addresses for secure sites also generally begin with https:// rather than http://.)

What it looks like

To ensure that the website that is selling a product or service is using SSL, look for the small padlock in the bottom right hand corner of the Internet browser as shown in the www.wishlist.com.au example above.

When the padlock in the bottom right hand corner of the Internet browser appears on the screen, the computer has successfully established a secure connection with the Wishlist website (see www.wishlist.com.au). This ensures that personal details, order details, credit card details, delivery address and contact telephone numbers are protected whilst they are sent to the Wishlist online store. In order to verify that the issuer of the Digital Certificate is who they say they are, double click the padlock. This provides information including details on the organisation that issued the Certificate and how long it is valid for.

SSL limitations

While SSL is very useful, it does have limitations. Issues to consider before implementing an SSL site include:

• Data transmitted using SSL is only secure on its way between the browser and the Web server. If that data is subsequently moved to another location, security may be compromised. If, for example, your Web hosting company collects data via an SSL site but then forwards it to you via email, it may not be secure on the second part of the journey.
• SSL provides strong authentication for a company website, since it uses public key cryptography. However, it does not guarantee the identity of the customer beyond a basic password check, unless customers are forced to use cryptography as well.

Using the analogy of a paper transaction, SSL provides the following:

• A secure envelope into which you can seal your document when you send it;
• A guarantee to you that the destination address to which the envelope is sent is owned by that business; and
• A signature on the envelope that guarantees it really was you who sent it (if you have been set up with your own keys and certificates).

What SSL does not provide is:

• Any guarantee to you that the destination address is actually operated by the business; or
• Any security processing on the document itself. Once the envelope has been opened (and thrown away), the business is effectively left with an unsigned document.

SSL limitations:

• Some SSL users have been subject to a "Certificate injection threat" where a malicious SSL certificate is added to the user's list of trusted root certificate authorities. A number of publicly disclosed vulnerabilities in Internet Explorer and Windows Media Player have allowed the attacks.
• What to do about it? In an enterprise environment, it is possible to use file and registry permissions to restrict access to the list of trusted root CAs either via software policies or by "hardening" the workstation build.
• Windows 98 users cannot easily protect themselves from this style of attack since the operating system does not support registry or file permissions. A possible mitigation strategy for Windows 98 users would be to run a program which periodically checks critical parts of the registry. Such functionality may be incorporated into a future version of anti-virus software.
• In the meantime, check the Microsoft security bulletins MS02-005 Patch for Internet Explorer at www.microsoft.com/technet/security bulletin/MS02-005.asp
• Other Security Bulletins for Windows Media Player at www.microsoft.com/technet/security/bulletin/MS01-056.asp

(Reproduced with thanks to Defence Signals Directorate, Computer Network Vulnerability Team, white paper "SSL Vulnerabilities" presented at AusCERT 2002 and available on the NOIE website)

Conclusion

For many small businesses, SSL will provide sufficient security for online shopping and payment processing. However, if you will be dealing with high-value transactions, you may want to consider a more extensive PKI-based solution.

How to make it happen

Many e-commerce software packages already include support for SSL. If you are setting up a retail or payments website, your bank or financial institution may also provide SSL-based shopping services as part of its business banking offerings. Your Internet service provider may also be able to advise you.

If you find setting up an e-commerce-enabled site difficult, you may seek to employ a consultant to help. The Capability Directory of Electronic Authentication Technologies provides a list of organisations that can assist in setting up a secure website.

Where to go online for more information

Capability Directory of Electronic Authentication Technologies - http://www.aeema.asn.au/neac

Several useful free guides are at http://www.verisign.com.au/

If you are searching the Web on this topic, try the following search terms: - SSL, e-business, secure transactions, electronic banking.