During my time on the web I have noticed how many users have misconceptions about HTTPS or SSL, so hopefully this should help clear a few things up and ensure your clear about what SSL does… and doesn’t do and how to be safe on the web.

Firstly i would like to explain a bit about HTTPS and to try and clear up some of the misunderstandings a lot of people seem to have about it.

HTTPS:// which stands for Hyper-Text Transfer Protocol Secure, which is a secure connection between you and the server. HTTPS is NOT a protocol in it’s self. HTTPS is exactly the same as HTTP except it has a extra layer of “security” called SSL (Secure Sockets Layer). When comparing HTTP and HTTPS the only “physical” difference is HTTPS uses a different TCP port (usually 443) where as HTTP uses 80 (or 8080 depending on server set up).

SSL was developed by Netscape for you guessed it sending files and information via the web without nosy neighbors peeking. SSL uses a cryptographic key system. This system uses two keys which encrypt the data being sent, the first being the public key which is known to every Tom, Chris and Rumpelstiltskin and then we have the Private key known only to the intended recipient of the data.

I have come across quite a few people who assume that because a web-page has “Secure” it means their information, which often includes full credit card details, are secure for the short journey across cyber-space and the comfy stay in a little server on the other side of the world. However often what most do not understand is this is not the case, yes the information can not be easily sniffed or taped on its connection between you and the server, but it does not secure its safety when it reaches the server OR how the webmaster as well as every one who has access to the server (which can often be a lot) do with your information.

Just because a server uses SSL (which any body with a website and a spare £23 ($45)ish can obtain, without any security checks for the website i might add, doesn’t mean the server can’t be hacked or even be already hacked.

Dodgy webmasters, not only do you have to worry about your personal information being sniffed or viewed on transfer, while it’s sitting on the web server and crackers seeing it, But what about the actual website Administrator? what is he suddenly thinks hey, i have a database full of all the transaction details  from when i have sold naff to over the net…

Getting security certificates validated by browsers.

Now virtually all modern browsers are both SSL capable and show some type of alert if the incoming SSL certificate  is self signed or invalid.

I would like to make this perfectly clear, ANY webmaster can set up a secure connection for his/her website(s) and it will have EXACTLY THE SAME level of security as a certificate signed by a authority, the only difference being that many browsers have been “told” by the “certification authorities” that your site is OK!

Other wise your browser experience is hindered by warnings (especially with browsers such as Internet Exploerer 7 and Google Chrome who refuses to show the page unless you accept)

If you would like more information about setting up SSL of purchasing a SSL Certificate through XDnet  – Just Ask! and we can help with the process.

Hopefully this post has helped users understand what SSL does do – offer an extra layer of protection to your data, but also helps to understand the importance of not providing personal information to any website on the internet, if you have doubts about the intentions of the webmaster, try asking them about their policies and how they might use your data, if they can’t answer honestly about how they process your information, don’t risk it.