SSL, or Secure Socket Layer, is not the answer to website security. SSL does provide an encrypted layer for Internet communications, however it is not the solution to all security concerns.
The advantage of SSL is its compatibility with most browsers, where it invisibly encrypts Internet communications and thwarts an attacker from catching sight of the data sent from your browser to a websites server. A hacker can see that you are making a connection to the server but not what is being transmitted. SSL also authenticates the server, so you know that you are conversing with the server, not a hacker situated between you and the server.
Regrettably many people, including the guys developing Eos Online Merchant, look at SSL as the perfect answer to website defense. They are currently attempting to create new open source standards, which force the use of SSL when using their ecommerce cart. Granted, SSL should be used on every website that accepts credit cards, as protecting customer financial data is a no-brainer. Believing that SSL is the answer is being naive.
Why is relying on SSL a mistake, David and Inetbiz? Because SSL does not protect you from the following:
1. Vulnerable Hosts – The idea that having an SSL certificate installed on your server secures the server itself is an enormous delusion. Protecting the transmission of data between a browser and a server is only half the battle. You need to keep patches for the operating system [e.g. Linux], server software [e.g. Apache] and scripting tools [e.g. PHP & MySQL] up to date. Turning off unneeded services and checking your server logs on a regular basis is also important.
2. Poor Programming – The communication between a browser and server may be encrypted but a hacker can still try to break in via poorly coded website applications, and because you installed an SSL certificate, your Intrusion detection system may not alert you about it. Keep your website applications [e.g. shopping carts, blog or forums] updated as often as possible.
3. Phishing & Spoofs – When you purchase an SSL certificate you are required to include your host name. Anyone who owns a domain name can get an SSL cert for that domain. There are people who create website that mirror the look and feel of other websites right down to an SSL Certificate. These “spoofs“ can look like your bank website or a popular ecommerce site and are created to obtain account numbers, passwords or credit card numbers. They can relay info so that it shows as it would if you were on the legitimate site, but save a decrypted copy of everything you entered into a form thus stealing your financial information.
Unfortunately, an SSL certificate can not protect you from phising and spoof sites either because a hacker can easily register a similar name to your bank domain. For example, your bank domain name might be “my_financial_institution.com” and a hacker could register “my_financial_institutions.com”, which is an error that you might never notice.
Many of the things listed above might seem obvious. I know a couple of people who are forcing SSL as a new open source standard who are most likely had no idea. People are frequently bemused and can’t comprehend SSL security begins and ends. An argument that turns into endless backbiting about security before one realizes precisely where the assumptions came from. I have been there… several days of posting in the osCommerce University forums about when SSL is needed, when it is not and who should be the one to decide when to use it. They [the Eos Online Merchant development team] didn’t get it, hopefully you do.
