What is an SSL? (Secure Socket Layer = Security?)

September 16, 2013

Our Very (Very) Basics series gives a high-level look at hot tech topics. We want these posts to be a way for people who don’t normally work with the web, mobile, and marketing to understand the basics without having to deal with all the geeky stuff. If you’d like more information about any of these topics, try searching our blog to find more posts.

IMAG0374

Have you ever heard a web company say something needs an SSL? What does that mean?

The internet is a big place. With close to 9 billion devices connecting, it can be hard to find some privacy. SSL encryption technologies are often used to facilitate a private line between two parties.

Why do you need privacy

Generally speaking, anytime a credit card or detailed personal information (like Social Security Number) is transmitted you need to use SSL encryption technology to protect that information from prying eyes.

If you didn’t use SSL technology to protect that data, there are many ways it could be exploited. If you are a wireless user, no matter if on a mobile phone, wifi, or satellite, that information is traveling in the air exposed. Anybody with the right equipment that is in range of your signal can intercept that data.

Even if you are on a wired network, you are not in that much better shape. As I write this article, I preformed a traceroute to amazon.com. It’s sort of like revealing the road-map my data traveled to arrive at Amazon. My packets touched ten different routers owned by five different companies en route to one of the largest retailers on the planet. Out of these five different companies, two I know, my own ISP and the other is Amazon. Three are an enigma to me. Never heard of them. Do I trust my credit card information totally naked in their hands? Do I know their networks are free of malware? Do I know the competence of their network security? No, I do not.

Additionally, there is another common way to harvest data, called a man in the middle attack. Though a bit harder to explain, it is one in widespread use. More or less, a website will masquerade itself as another site, likely one that already trust, like GoDaddy, PayPal, eBay, your bank, etc. People are tricked into submitting their information to these parties. Most are simple, like an email with links to a fake website, that looks like PayPal, but is actually not PayPal. Others are more complicated and far harder to explain, but the sum of it is, it will look like you are at Amazon (for example) and even though it says amazon.com in the address bar, that is not the real amazon.com.

How does SSL technology protect me

Now that you know some of the dangers of unencrypted data, let’s see what SSL encryption can do for us. When you are at your favorite reputable merchant’s website, your desire is to let them have your credit card information to charge for the agreed amount. SSL encryption gives you a private line to the merchant’s webserver. Though others may still intercept the transmission of your data, it’s going to look like trash, and it will be undecipherable as a credit card number. Additionally, SSL technologies ensure you that you are indeed speaking with the merchant you think you are, not an impostor.

But how does it work

It’s somewhat complicated as to “how” it works exactly, but I will offer a brief description.

The server administrator makes a private key. This is very long string of random characters, including lower letters, upper letters, numbers, and special characters (like + or /). This private key is never shared with anybody, but a public key (called CSR) is derived from it. This public key can encrypt data, but can not decrypt information. This public key is shared with a certificate authority (CA), like Thawte, VeriSign, Network Solutions or GoDaddy.  Once the CA has validated the business, they will issue a certificate. The private key, public key, and certificate are all a trio that can only work together and are not interchangeable.

When your browser goes to a website over a secure https connection, the webserver will send back the certificate and public key. The browser will validate this as legitimate from the CA. Once the browser knows the certificate is good, it will use the public key to encrypt the data it’s about to transmit, such as credit card. The webserver will be able to decrypt this  information with the private key. Only the private key will decrypt it. If this is all happening right, most browsers will show a lock in the address bar.

lock

What about the NSA

Recently, much news has been released surrounding the NSA (and a few other agencies) and its ability to peak into various services and technologies to access information previously thought to be secret.  At this time, it’s unknown what exactly they have access to, it does seem the NSA has direct access to Facebook, mobile phone data, Hotmail and Google services.

They may also have access to SSL connections. The actual encryption ciphers that Sephone uses for SSLs are AES-256 with RSA key generation. Those are by far the most common in current use. The other common encryption ciphers are RC4 and SHA.  To break a AES-256 cipher would take the world’s largest super computers around 149 trillion years. Seems like a safe bet, but it may be that the NSA may have built a back door directly into the SSL protocol. It’s unknown at this time exactly.

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

The Very (Very) Basics of Search Engine Ranking

February 28, 2013

Our Very (Very) Basics series gives a high-level look at hot tech topics. We want these posts to be a way people who don’t normally work with the web, mobile, and marketing can understand the basics without having to deal with all the geeky stuff. If you’d like more information about any of these topics, try searching our blog to find more posts.

There are lots of ways to attract people to your company’s website. You might put it on your business cards. You might add the address to a TV or print ad. But many people will also find your site by searching on a search engine like Google.

Searching is used so often that there’s an entire industry focused on something called SEO, or search engine optimization. People who do SEO make sure that your company’s site has the best chance of appearing when someone searches either for your company’s name or for a word or phrase related to your business.

There are many things you can do to make sure you have the best chance to be one of the first results. (Remember, there are lots of pages on the web competing for those same top spots – there’s no way to guarantee you’ll be #1!) But to understand the basics of how search engines work, we’re going to look at two of the biggest factors: incoming links and keywords.

Incoming links

When you do a search for sites, it’s important that the sites that appear as results are trusted and relevant. Google determines this by the number of other websites that link to your company’s site – and how reputable the sites that link to you are (a huge calculation they call PageRank).

Let’s say for example that your company sells bicycles. One day, someone might take a picture of one of your bikes and post it on their own website. Every link to your site helps! Then the local news does a story about your bikes and links to you from the online story. Since the news is trusted by a lot of people, that helps your site even more. Finally, a national magazine for parents reviews one of your bikes and links to your site. That’s a huge boost to your credibility!

In other words, it’s great to have other sites link to your site. The more links to your site, the better – and if you can attract links from really reputable sites, that’ll help your site move to the top of search results.

(Of course, there are some less-than-reputable people who try to cheat the system by spamming web sites with links or doing other deceitful things. Google recognizes these and can penalize sites if they try to cheat!)

Keywords

How will people find your site? In some cases, they’ll search for your company’s name. There are other cases where finding your site isn’t as straightforward.

Imagine that you run a Mexican restaurant in central Maine. Someone around town has a craving for a meal from south of the border, but they’re new to the area and aren’t sure about their options. What will they do for a search?

It’s not easy to tell. Different people will do different searches to find what they want. In our example, they might search for…

  • Mexican restaurants in central Maine
  • Maine Mexican restaurants
  • Mexican food near Bangor
  • Mexican dining on the Penobscot River
  • best Mexican food in Maine
  • burritos in Bangor

Make sure the copy for the pages on your site includes the kinds of words people will use for a search. If someone searches for “Mexican dining” but the word “dining” isn’t on your site, Google might not rank it as highly as a competing restaurant that is an exact match for the search. Just make sure the text on your site sounds natural to your visitors; if you focus on keywords to the point of making your site sound robotic or artificial (something called keyword stuffing), Google may penalize you for trying to cheat.

If you’d like some help with your search engine marketing and optimization, it’s one of the services we offer at Sephone. We’d also be happy to talk more about some of the other things you can do to make Google and other search engines love your site!

Do you have a topic you’d like to see covered in our Very (Very) Basics series? Leave us a comment to let us know!

avatar

Justin is a web and mobile developer at Sephone. He's interested in user-driven design, social media, and web services. He also enjoys learning and exploring new ways for businesses and people to use the web.