Certificates and Security
Written By: An IntelliGenesis Senior Cybersecurity Engineer
Most of us, at some point in the last few years, have done some online shopping… and by “most of us,” I mean “all of us” and by “last few years,” I mean “the last 24 hours” and by “some,” I mean “a lot.” That out of the way, it’s probably a safe bet that very few, if any, of us have ever had our credit card information stolen because of online shopping.
Nowadays, online shopping is as safe, if not safer, than shopping in a retail store or paying your check at a restaurant. With about 2.3 trillion dollars of online sales in 2017, the security of internet transactions is crucial to the worldwide economy. So how do all these transactions stay secure?
Through the use of secure internet protocols (which encrypt data during the transmission) and the use of certificates (that identify web destinations), modern web browsers maintain a tightly controlled system of communication. This system ensures that the website you think you are connecting to actually IS the website you are connected to…and that the data you transfer remains safe in transit.
The protocol used to keep communications secure is a combination of HTTP and SSL, commonly seen in the browser’s address bar as “https://”. One of the key protections this protocol offers is against “man in the middle” attacks where a third party intercepts the communication and pretends to be the target server. The way HTTPS protects against this type of attack is by verifying the server is valid. HTTPS demands the server present an identifying certificate…but not just any certificate. The certificate must be “signed” by a trusted source called a “certificate authority.”
Each web browser has a setting that specifies which certificate authorities to trust. There are a number of commercial trusted authorities that handle most of the requests for the internet-at-large, but internally, companies (and individuals) can create their own certificates for internal verification of network traffic.
These internal certificate authorities allow companies to verify that all their internal network traffic is authorized and allows them to verify that only authorized access is provided to their users. It’s exactly the same as the worldwide internet, just on a smaller scale.
The use of HTTPS, certificates, and certificate authorities act together as a critical piece of infrastructure that allows worldwide e-commerce to thrive and allows companies and agencies to keep a tight level of control over their own internal communications.