How The Ssl Protocol Works

Published Date: 02 Nov 2017

Group 9

Faculty of Engineering, Built Environment and Information Technology

University of Pretoria

Contents

ABSTRACT

As Kevin Mitnick, a computer security consultant and former hacker once said, "Some people think technology has the answers." This statement is the basis for this conference paper as it will discuss in detail how safe a user's personal information is when it comes down to the protocols or technologies and legislation in place to secure and protect online transactions.

The problem with online transactions is that it is a fairly new concept that grew in popularity very quickly leaving a gap between the convenience of having everything at your fingertips and the security of your personal information as well as your identity as an individual. There have been many new protocols and technologies developed since this boom in online transactions and banking to enforce the new legislation but many of these protocols have loop holes that are constantly being discovered and corrected with more modern and secure protocols. The aim of this research paper is to discuss protocols such as SSL certificates and https sites, as well as antivirus technology, PayPal security and internet security programs and how they assist to make online transactions safer.

This conference paper will contain a literature review of all the protocols and technologies that are available today in the field of online transactions and how each of them, in unison can protect and secure the information of a user in today's information revolution, where information is power. This means that rather than discussing just a single protocol as a standalone technology, this paper will include and combine all the knowledge into one combining it with legislation like The Protection of Personal Information Bill B9 of 2009. Therefore this paper is composing a much better picture of the security of online transactions as well as the rights the users can follow should their privacy be violated.

The significance of this paper is to provide people with a better understanding of the protocols and technologies that are in place to protect them and to establish whether their personal information is really being protected under the current South African legislation.

keywords

This is list of terminology that will be used throughout this conference paper. This will help with the understanding of key protocols, technologies and legislation:

SSL Protocol - Secure Sockets Layer Protocol is a encryption protocol used to secure online transactions.

TLS Protocol - Transport Layer Security Protocol is a revised technology and is a successor to the SSL Protocol.

E-commerce - Term used to describe any form of commercial payments done over the internet or from any form of electronic device.

https:// - Hyper Text Transfer Protocol Secure is an updated version of http and is used as a secure means of communication and it implements either the SSL or TLS protocol.

PPI Bill - This is the Protection of Personal Information Bill B9 of 2009 and is a Bill that protects a user's personal information.

URL Address - Uniform Resource Locator is the name that is used to represent a sites IP Address and is typed into the address bar of a web browser.

Introduction

Information privacy and security is a right that a person has as a unique individual to protect their personal information. It is the right to conduct activities in seclusion and the protection of this privacy is protected by privacy laws. These laws are fairly new like the Protection of Personal Information Bill B9 of 2009 but are in place to protect against the invasion of privacy.

There are many technologies that are in place and that are currently in development to ensure that legislation like the PPI Bill are implemented in the virtual world of online banking where information is power. This paper will discuss how these technologies work and how they implement security and privacy, increasing the understanding of an average online banking user.

The question that needs to be answered is: How safe is a user’s personal information when it comes down to the protocols in place to secure and protect online transactions and how do these protocols enforce the South African legislation ensuring a safe and ethical online environment?

Many users feel that privacy and security during online transactions is untrustworthy and the aim of this paper is to minimize this discomfort and to increase their awareness of the current laws and legislations protecting them.

Technologies And Protocols And How They Relate To legislation

SSL Protocol

"In the context of a law firm, cloud computing raises concerns associated with entrusting a third party with confidential client data." - (Newton, n.d.)

One of the areas that information security covers is encryption. Secure Sockets Layer (SSL) Protocol is an industry standard encryption technology that ensures secure online banking and e-commerce transactions. This protocol can be used as a security safeguard. A security safeguard is one of the eight principles of the Protection of Personal Information Bill. This principle states that all personal information should be kept private and secure against any external threats like hacking or loss of information.

SSL was originally developed by Netscape, it is an internet security protocol used by internet browsers and web servers to transmit sensitive and personal information. It establishes an encrypted link between a server and a client for a secure communication session.

An example of where this is used would be between a website and a browser, or an e-mail server and an e-mail client. It allows private and personal information such as banking details and personal identification numbers to be securely transmitted from the client side of the link, to the server side. This is done by the acquisition of a SSL certificate.

SSL certificates help protect information by encrypting and decrypting the data sent to and from the server/client. The technology working behind the scenes during a SSL encryption are mathematical algorithms and equations working in conjunction, enabling a communication session to be virtually impossible to hack. This is done to uphold the 7th principle of the Protection of Personal Information Bill which is the security of personal information.

How the SSL protocol Works

When you open an SSL encrypted webpage, the website sends a ‘Hello’ message to the web server.http://compueasy.net/j3/images/stories/knowledgebase/ssl_how.jpg

The web server will then start to communicate with the client and creates a unique Public Encryption Key(PEK) Certificate.

When personal information like banking details are submitted to the web server, the SSL Certificate on the client encrypts (locks) it.

The encrypted data is then sent to the web server over the secure communication link.

The web server will then send the unique Public Encryption Key certificate to the client which allows the Secure Sockets Layer (SSL) to send the certificate decryption key securely over the internet.

The web server can then use the decryption key to decrypt (unlock) the securely encrypted information.

SSL is a big part of hiding personal information during online transactions conforming to the ethical principal of information privacy which states that a user can choose to remain anonyms during online transactions. It also secures your data by using the above mentioned procedure. You can tell that you are on a SSL Secure website if the web address begins with "https://" rather than just standard "http://" or by locking for a lock by the URL address.

All SSL Certificates are issued to either legally registered organizations or individuals. That means that when a browser connects to a secure site (https://) it will retrieve the site's SSL Certificate and check that it has not expired and that it is in fact a registered certificate with a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user. This warning gives the user the ethical right to choose whether or not to proceed by doing this decisional privacy is being enforced.