SSL Certificate: Importance for e-business security

Author: Iloka Benneth Chiemelie
Published: 22nd December 2016

Abstract

E-business is fast increasing across the globe as a result of the subsequent increase in technological advancement, adoption and functionalities. The case of understanding measured with respected to numerous theories is that the world is fast transforming into a community where people can have access to any information at any given time. In any case, this transformation brings along with it the need for users to be careful because of the increase in fraud and phishing. Considering these issues, how will companies now protect as well as ensure sustainable growth by ensuring that consumers purchase from their websites? This question is addressed by SSL, which is a third party certification used to authenticate the authenticity of a website and present users from failing victim of scammers.

Introduction

Starfield technologies (2013) made known that a recent study from the US department of commerce shows an intriguing increase in the level of online retailing and this increase is a largely as a result of the rapid growth and adoption of e-business. In any case, they also proceeded to note that the increase in malicious phishing and pharming schemes as well as fears of an inadequate online security makes the retailers to lose out in the business as a result of consumers’ lack of trust, which is mainly based on the understanding that consumers are afraid of their sensitive data being abused or compromised.

For any business, the main element is on building trust as customers need to trust the business in terms of its potential in protecting their sensitive information from being intruded upon or tampered with.

As such, installing SSL Certificate on the e-commerce website has a very significant role to play on consumers’ trust as it would allow the website to secure the online business and build an increase in confidence from the side of the consumers by making sure that all online transactions are secured with up to 256-bit encryption method. An SSL Certificate on the business site will basically ensure that sensitive data are very much protected from prying eyes.

What is SSL and what are Certificates?

Frank (2002) presented a clear on understanding on the above heading by stating that SSL protocol was actually created by Netscape as a means of ensuring that users have a secured transaction between the web-serve and the browsers. The protocol functions by making used of third party, a Certificate Authority (CA). which is used to either identify one end or both ends of the transactions the function basically works as follows:

1.      It allows the browser to request for secure page (which is usually HTTPS://).

2.      The server then sends a public key with its certificates.

3.      The browsers having received the public key will then check whether the certificate has been issued by a trusted party (which is usually a trusted root CA), and also check that the certificate is still valid and that it is related to the site being contacted.

4.      The browser then makes use of the public key in order to encrypt a random symmetric encryption key and makes this available to the server with the required encrypted URL as well as the encrypted HTTP data.

5.      Upon receiving it, the web server will then decrypt the symmetric encryption key may making used of the private key and the asymmetric key to decrypt the URL and the HTTP data.

6.      The server will then send the decrypted key back to the requested HTTP data that was encrypted with the symmetric key.

7.      The browser will then decrypt the HTTP data and HTML document by making use of the asymmetric key and then display the information to the user.

Basically, the underlying element in this system is all about ensuring that information are protected from any breach between sender and receiver and that transactions are done only through trusted medium – as such reducing consumers risk as they will be making purchase from the right angle and people.

Private Key / Public Key

An encryption that make use of private key/public key is designed to ensure that the data can be encrypted by one key but can also be only decrypted by using the other per of the key. Sometimes, this is very hard to understand by Frank (2002) made known that it actually works. The keys seem to be similar in nature and as such can be used alternatively. Whatever one key encrypts, the other per is capable of decrypting it as the key per are based on primer numbers and their length in terms of bit is designed in such a way that it makes it very difficult to decrypt the message without the keys.

The certificate

The question of security is designed to understand how users know when dealing with the right person rather than just the right website. Sometimes is very difficult considering the high volume of website available on the net, but people have taken the necessary step geared towards protecting users experience online and this is the person whom have been given an implicit trust to load certificates on trusted website.

A certificate is a document containing an information about the owner of the certificate such as their e-mail address, name, certificate usage, validity, location and Distinguished Name (DN) which also comprises of the Common Name (CN) and other information used to validate the authenticity of the website owner. Normally, the browsers or applications are loaded through well-known and trusted certificate paths in the CA, which is also used to maintain a list of signed certificates and also a list of revoked certificates. Only signed certificates are considered to be secured and they cannot be modified. A certificate can be signed by using itself in a process described as self-signed certificate. The entire roots CA are self-signed and cannot be modified even by the owners of the website.

Installation of SSL

Frank (2002) made known that in the present days setting, the user doesn’t need to be much worried about installing OpenSSL because most of the distributions adopt a package management application. However, a number of settings need to be made in order to ensure that the SSL certificate is well installed and these modifications are:

The CA.pl utility

In the process of installing the OpenSSL, make sure that the CA.pl is in a directory that can be accessed such as /usr/sbin. CA.pl can be located inside the /usr/lib/ssl directories. CA.pl is the utility that is used for the purpose of hiding the openssl command. In the installation process, users are advised to always put the openssl equivalent in the brackets when making use of the of CA.pl features.

/usr/sbin/CA.pl needs to be modified to include −config /etc/openssl.cnf in ca and req calls (Frank, 2002). The modified file will look like this:

1.      #$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};

2.      $SSLEAY_CONFIG="−config /etc/openssl.cnf";

3.      #$CATOP="./demoCA";

4.      $CATOP="/var/ssl";

Creating certificate authority

In order to create the certificate authority, it was noted by Frank (2002) that the command function to use after editing the openssl.cnf file correcting is:

CA.pl –newca

Once this command function has been entered, the utility will ask the user to select a certificate file to function as the CA certificate, or be prompted to create one is no certificate presently exist. In order to create a new certificate file, the user should following the directions that are issued via each prompted command.

Generating and signing a new certificate request

The code for undertaking this function is:

CA.pl −newreq

(openssl req −config /etc/openssl.cnf −new −keyout newreq.pem −out newreq.pem \

−days 365)

First, the user needs to create a new private key and a certificate request that will be placed in the newreq.pem file. Then, the user should enter the Common Name (CN) which the main usage of the certificate. For instance, the user should enter www.example.com if the user is intending to secure the website www.example.com, or enter example@email.com if the user is looking to secure e-mails from the above email.

Once the user has identified the Common Name (CN), then the user should use the code below to sign the certificate.

CA.pl −sign

(openssl ca −config /etc/openssl.cnf −policy policy_anything −out newcert.pem \ −infiles newreq.pem)

The code will sign the new requesting using the cancert.pem and then commit the certificate as newcert.pem. Additionally, the user will also need to enter the passphrase of the cancert.pem (which is the CA certificate), and this will led to the creation of the file newscert/xx.pem and the index.txt with the serial that will also be updated.

The private key is in newreq.pem −PRIVATE KEY− and the certificate is in newcert.pem −CERTIFICATE−

Following the success of the above process, a copy of the newcert.pem will be placed in the newcerts/ with an adequate entry in index.txt and this will allow the client to make request for such information through the web services and also to ensure the authenticity of the certificates.

In any case, the user also needs to be careful of the newreq.pem file as it contains a certificate request and also the private key.

Conclusion

Basically, the purpose of this paper was to present an understanding on what SSL certificates are and how they can be used. The paper has been successful with respect to this understanding because it has demonstrated that SSL certificates represent an integral aspect of the modern computing world. This is because there is an increased level of fraud and phishing in the e-commerce of the present world where consumers are being misled by fake website and forced to expose their payment information or even make payment to the wrong person. Considering the significance of this issue, SSL certificate have been developed as the right solution as it involves authenticating the website from a third party in order to ensure that the users are actually protected from fraudulent practices that will force them to make financial losses in the view of transaction made with fake websites.

References

Starfield technologies (2013), “Why do you need SSL Certificates?” Available at: http://products.secureserver.net/SSLMarketingGuide.pdf [Accessed on: 18-09-2013].

Frank, M. (2002), “SSL Certificates: How to.” Available at: http://www.tldp.org/HOWTO/pdf/SSL-Certificates-HOWTO.pdf [Accessed on: 18-09-2013].