How Ssl Protocol Works

Published Date: 02 Nov 2017

Abstract

As Kevin Mitnick, a computer security consultant and former hacker once said, "Some people think technology has the answers." This statement is the basis for this conference paper as it will discuss in detail how safe a user's personal information is when it comes down to the protocols or technologies and legislation in place to secure and protect online transactions.

The problem with online transactions is that it is a fairly new concept that grew in popularity very quickly leaving a gap between the convenience of having everything at your fingertips and the security of your personal information as well as your identity as an individual. There have been many new protocols and technologies developed since this boom in online transactions and banking to enforce the new legislation but many of these protocols have loop holes that are constantly being discovered and corrected with more modern and secure protocols. The aim of this research paper is to discuss protocols such as SSL certificates and https sites, as well as antivirus technology, PayPal security and internet security programs and how they assist to make online transactions safer.

This conference paper will contain a literature review of all the protocols and technologies that are available today in the field of online transactions and how each of them, in unison can protect and secure the information of a user in today's information revolution, where information is power. This means that rather than discussing just a single protocol as a standalone technology, this paper will include and combine all the knowledge into one combining it with legislation like The Protection of Personal Information Bill B9 of 2009. Therefore this paper is composing a much better picture of the security of online transactions as well as the rights the users can follow should their privacy be violated.

The significance of this paper is to provide people with a better understanding of the protocols and technologies that are in place to protect them and to establish whether their personal information is really being protected under the current South African legislation.

Keywords

This is list of terminology that will be used throughout this conference paper. This will help with the understanding of key protocols, technologies and legislation:

SSL Protocol - Secure Sockets Layer Protocol is a encryption protocol used to secure online transactions.

TLS Protocol - Transport Layer Security Protocol is a revised technology and is a successor to the SSL Protocol.

E-commerce - Term used to describe any form of commercial payments done over the internet or from any form of electronic device.

https:// - Hyper Text Transfer Protocol Secure is an updated version of http and is used as a secure means of communication and it implements either the SSL or TLS protocol.

PPI Bill - This is the Protection of Personal Information Bill B9 of 2009 and is a Bill that protects a user's personal information.

URL Address - Uniform Resource Locator is the name that is used to represent a sites IP Address and is entered into the IP address bar of a internet browser.

ECT Act - This is the Electronic Communications and Transactions Act 25 of 2002 which forms the foundation of how information and communication technology are governed in South Africa

Introduction

Information privacy and security is a right that a person has as a unique individual to protect their personal information. It is the right to conduct activities in seclusion and the protection of this privacy is protected by privacy laws. These laws are fairly new like the Protection of Personal Information Bill B9 of 2009 but are in place to protect against the invasion of privacy.

There are many technologies that are in place and that are currently in development to ensure that legislation like the PPI Bill are implemented in the virtual world of online banking where information is power. This paper will discuss how these technologies work and how they implement security and privacy, increasing the understanding of an average online banking user.

The question that needs to be answered is: How safe is a user’s personal information when it comes down to the protocols in place to secure and protect online transactions and how do these protocols enforce the South African legislation ensuring a safe and ethical online environment?

Many users feel that privacy and security during online transactions is untrustworthy and the aim of this paper is to minimize this discomfort and to increase their awareness of the current laws and legislations protecting them.

Technologies And Protocols And How They Relate To legislation

SSL Protocol

"In the context of a law firm, cloud computing raises concerns associated with entrusting a third party with confidential client data." - (Newton, n.d.)

One of the areas that information security covers is encryption. Secure Sockets Layer (SSL) Protocol is an industry standard encryption technology that ensures secure online banking and e-commerce transactions. This protocol can be used as a security safeguard. A security safeguard is one of the eight principles of the Protection of Personal Information Bill. This principle states that all personal information should be kept private and secure against any external threats like hacking or loss of information.

SSL was originally developed by Netscape, it is an internet security protocol used by internet browsers and web servers to transmit sensitive and personal information. It establishes an encrypted communication link between a server and a client for a secure communication session.

An example of where this is used would be between a website and a browser, or an e-mail server and an e-mail client. It allows private and personal information such as banking details and personal identification numbers to be securely transmitted from the client side of the link, to the server side. This is done by the acquisition of a SSL certificate.

SSL certificates help protect information by encrypting and decrypting the data sent to and from the server/client. The technology working behind the scenes during a SSL encryption are mathematical algorithms and equations working in conjunction, enabling a communication session to be virtually impossible to hack. This is done to uphold the 7th principle of the Protection of Personal Information Bill which is the security of personal information.

How the SSL protocol Works

When you open an SSL encrypted webpage, the website sends a ‘Hello’ message to the web server.http://compueasy.net/j3/images/stories/knowledgebase/ssl_how.jpg

The web server will then start to communicate with the client and creates a unique Public Encryption Key(PEK) Certificate.

When personal information like banking details are submitted to the web server, the SSL Certificate on the client encrypts (locks) it.

The encrypted data is then sent to the web server over the secure communication link.

The web server will then send the unique Public Encryption Key certificate to the client which allows the Secure Sockets Layer (SSL) to send the certificate decryption key securely over the internet.

The web server can then use the decryption key to decrypt (unlock) the securely encrypted information.

SSL plays a big role in hiding personal information during online transactions conforming to the ethical principal of information privacy which states that a user can choose to remain anonymous during online transactions. It also secures your data by using the abovementioned procedure. You can verify that you are viewing a SSL Secure website if the web address begins with "https://" rather than just the standard "http://" or if a https lock is visible by the URL address.

All SSL Certificates are issued to either legally registered organizations or individuals. When a browser connects to a site that implements the SSL protocol it will retrieve the site's SSL Certificate and verify that it has not expired and that it is a registered certificate with a Certification Authority that is trustworthy. It also verifies that the certificate is being utilized by the website for which it was registered. If it fails on any of these accounts, the browser will display a warning message to the end user. This gives the user the ethical right to choose whether or not to proceed with the current transaction, ensuring that decisional privacy is being enforced.

HTTPS:// Sites

The current concern is for sites to become secure especially when protection and privacy is such a high need in today’s life of online banking. Https:// is being implemented on almost every site to ensure that the average user's personal information is more secure and less vulnerable. This new form of security is encryption based to protect information being transferred between the user and a website, the concept is to protect information from anyone trying to intercept it.

Https works in by either implementing the outdated Secure Socket Layer (SSL) protocol or the newer revised Transport Layer Security (TLS) protocol in order to make sure that encrypted information cannot be intercepted by people or organizations with mal intent. Https sites also cannot get spoofed, meaning a fake site that looks like the real one would not work because it would contain a false security signature and certificate and would be picked up by the browser.

The benefit of using https is that you gain protection from being lead to false or malicious websites. The use https helps with the realization of what the Electronic Communications and Transactions Act 25 of 2002 wants to achieve and that is to promote the public trust in online transactions.

Most people agree that they find the security of their personal information important and feel a lot more comfortable when using an https site. This sense of security is providing the users with a fundamental right and can be Virtue ethics or as utilitarian ethics. The technology is rapidly becoming a requirement for website development because most of the new browsers now have plug-ins that force https websites to be displayed.

The level of security is made clear to the user so that anybody that is unsure or unaware of threats will be protected from the violation of their privacy or the theft of their personal information.

From all of this we can see why people trust https and why it’s better than using any normal http site the difference though is just security but when that security is your bank account you need to know you can trust it.