What are security certificates for?
(And how do they work?)
Published: 14 October 2017
Answer: pretty much everything nowadays!
This is part of the digital certificate for google.co.uk, as displayed by Firefox. The public key used for encryption is the large block of numbers at the bottom.
Digital certificates make secure transactions across the internet work.
A certificate exists for every secure domain that you visit (banking, on-line shopping, etc.), and your web browser automatically collects and stores them for you.
Certificates include two things:
Proof of the site's bona fides:
The certificate describes the official 'chain of trust', from the site owner, right back to a security 'root authority' from whom the site's certificate was originally issued.
This is supposed to mean:
"A (who is above all suspicion)
trusts B, who trusts C,
who owns this web site."
It's a nice idea, but, although it should let you trust whoever you're dealing with, in practice it's best to make up your own mind independently.
Security keys: public keys, used in the secure, encrypted link between you and any site that has a 'padlock' icon.
This bit works really well, so much so that this one thing enables the whole of the Web to be used for commercial purposes. Without it we would have no online shopping nor banking, and the "Cloud" would just be a thing that rains on us when it passes overhead!
Encryption made simple...
... would be very difficult, as it relies on pretty complex mathematics. We might, however, explain how it works, which is a bit easier:
Each party has their own public and secret key pairs, and these are mathematically related. The relationship is crucial to making it all work. The secret key is kept very secret, but the public one is shared with anyone who asks for it. You can see Google's public key in the screengrab above.
So, now imagine that I want to send a secure message to Fred, via his web site...
Once we have each other's public keys we can pass messages securely:
It all stays secure because it's next-to-impossible for anyone to discover the secret keys: they don't travel across the internet, and they stay secure because an encrypted message doesn't need anything secret from the other party.
The same approach is used for things we don't even think of as "messages", such as when we make online payments, or electronic bus tickets, or even when we log into Facebook or Google or Office 365.
Whenever you see a closed padlock icon, this is all going on in the background!
Certificates are essential for Web Site owners
This is the important bit! Until quite recently, you didn't need a digital certificate to have an online shop or ordering system or anything that needed security. Predictably though, it was pretty easy for crooks to steal information as it passed between you and your customers, and that's just whathappened—a lot.
The latest generation of web browsers will force this to change. In the companion article to this one, we showed how they will show warnings when users visit insecure web sites. This will put people off! And it will do so even if the site doesn't ask for any personal information at all (the browsers don't distinguish between sites that way).
In short, if you own a web site that doesn't have a certificate installed to allow secure browsing, you will lose traffic. It's the equivalent of a policeman standing in your shop doorway, telling customers to go away!
Help with web site security is here!
You don't have to wade through all the technology yourself to make this work. Here at Bristol IT Company, we are internet domain registrars in our own right, and have long experience in setting up both secure web sites and electronic commerce of all types. We pride ourselves in delivering good, solid and affordable advice and support.
Call us on 01173 700 777 or email email@example.com to find out how we can help you secure and grow the Web part of your business.