It's an unsecure method of communication where everything is sent over the wire in cleartext - it's completely trivial for anyone in a LAN administrator position at a business or ISP to gain access to the LAN, and most networks are even vulnerable to 'sniffing' by non-privileged users of the web. Things are bad enough that you really shouldn't even transmit any passwords without taking additional security measures, unless the things the passwords give access to are entirely trivial - put simply, as a webmaster, you need to be worried about encryption and security. But how can you add them to your website? Well, it's not as difficult as you think, because there's a standardised way of doing it: SSL. What is SSL? SSL stands for Secure Sockets Layer. It is a method of using cryptography to make sure that transmission between a server and a client is secure: in other words, data sent can't be intercepted or tampered with in any way. SSL works using a variety of encryption methods, but the most important feature is that SSL certificates effectively certify that a site is the real thing, which helps to prevent spoofing. When SSL is combined with HTTP, it becomes HTTPS (Secure HTTP), a powerful way for web browsers and web servers to send sensitive data back and forward securely. Levels of Encryption There are 3 main levels of SSL encryption: 40-bit, 128-bit and 256-bit. It's very important to emphasise at this point that 40-bit SSL is now outdated and deprecated: you would be a fool to use it. The only reason 40-bit encryption was available to begin with was because the US government was initially afraid of exporting cryptographic algorithms that were strong enough to be used against them: 40-bit was strong enough for most web uses, but still weak enough that they could break it by brute force with their powerful computers. The US was persuaded to relax the restrictions when the government realised that they were doing nothing but forcing IT development to other countries, but by then there had been widespread adoption of 40-bit encryption. Now, years later, there's really no reason to be using it. You should go for 128-bit as a minimum, and preferably 256-bit - what you can afford will likely be dictated by the value of the goods you sell. If you think anyone is likely to try to break your encryption, you should get the best you can. How Do I Use SSL? If your web host supports SSL, then it should already be all set up for you (if you host your website yourself, then you might like to take a look at the tutorials at modssl.org to get it installed). However, before you can use SSL, you need to get certified - that is, buy an SSL certificate from one of the trusted certificate authorities. The big three are VeriSign, GeoTrust and Thawte, but they charge relatively high prices.
Home
Contact Us
