How can I tell if a web site is using encryption to protect my credit card and other private information?
Each web browser which supports SSL has a visual indication of whether SSL encryption is being used by the web page being viewed. You can tell which mode your browser is in by looking at the toolbar at the bottom (or top?) of the browser window. If you see a broken key, or an open padlock (like right now as you are viewing this page), then encryption is not being used. If the key is whole, or the padlock is closed, you are in "secure" mode, and the information which was sent to you (like bank account information) was protected from being seen by others.
Important: this only indicates whether the data you are viewing was encrypted when transmitted to you. It really doesn't matter whether the blank order form you fill out with your personal credit card information was sent to you encrypted, as long as the data you fill in is encrypted when you submit it. (Think about a blank form on a postcard; it doesn't matter that the empty form can be read by anyone, but you'll want to put the completed form into a sealed envelope, and not just mail a postcard back with your personal information visible.)
The data you submit will be encrypted if the submit link is of the form "https://www.abcstuff.com" instead of just "http://www.abcstuff.com". The "https" means "HTTP Secure". Unfortunately, it's not always easy to tell if the form will be encrypted when you click on the "Submit" button, because the padlock is displayed for the page being shown in your browser, not for the information you will send. To make sure, examine the HTML source for the web page form before you click on the Submit button.
What does SSL really mean for me?
The Secure Sockets Layer (SSL) provides these important services:
- Authentication -- making sure you are sending your information to the right people, and not someone masquereding as someone else
- Confidentiality -- making sure no one else can "eavesdrop" on your information
- Integrity -- making sure that the information in either direction does not get altered in transit, either accidentally or maliciously by someone else
Every web site using SSL (like our site) must register with a Certifying Authority (CA) in pretty much the same way as is done when opening a new bank account -- proving their identity by providing documents about the business and the people who own it. Once the Certifying Authority has determined that the documentation is legitimate, they issue a digital "certificate" which means that the CA is vouching for the identity of the web server which uses the certificate.
Think of this as the online digital equivalent of a Notary Public. The certificate shows that the identity of the web site owner has been verified, and the business information (and their real address) is confirmed. The digital certificate is similar to the embossed seal of a Notary Public. It doesn't in and of itself show that the transaction is true and honest, it just means that the identity of the other party is verified by a third party. It doesn't say anything about whether that third party should be trusted!
The digital certificate, the "voucher of identity" from the Certificate Authority, is used to decode the encrypted transmissions from the web server. If the wrong decoder key is used, you'll see gobbledy-gook instead of useful information.
The SSL technology ensures that the certificate can be used by the one and only one web server which has proved its identity to the CA. If your web browser uses SSL to communicate with a secure server, and the transmission actually comes from an imposter, you'll know immediately because your web browser will pop up a warning. You can also click to have your browser show the certificate information, so that you can confirm that the certificate being presented really is for the company you think you are talking to.
Not all Certifiying Authorities are trustworthy!
NOTE that some Certifying Authorities are more stringent than others as far as the documentation they require from the company to prove that the company is who they say they are. Examine the SSL Certificate for the web sites you visit, and investigate the CA that issued it to make sure that the CA itself is reputable. You are depending on the CA to vouch for the company, so be sure you trust their opinion.
Examine the certificate for an encrypted web page, and see which CA issued the certificate. If it is "self-signed", that means there was no checking of the authenticity. Know what you are doing!
See which CA issued the certificate and ascertain for yourself whether you feel comfortable trusting their opinion as to the authenticity of the web site you are visiting. See what comes up in a Google or Yahoo search of the CA's name. Determine whether you are relying on a CA who does their homework, instead of "Joe's Fly-By-Night Certificates".
The biggest fear most people have about using their credit card on the Internet is that some third party will capture the credit card number and use it to run up fraudulent charges. A similar worry is that private information such as name, address, phone number, and so on, will be captured and used by someone else in ways which we did not authorize. SSL encryption ensures that your personal information will not be revealed to an outsider, even if they do happen to catch your Internet communications as they fly by on the Net.
Our web store uses 128-bit encryption, with automatic "step-up" to 256-bit encryption to protect your personal information. This is the industry standard, and is the same level of security as used by banks for online banking.
When you send personal information over the Internet, you really want to be sure that it gets to the intended recipient without having been modified. For example, an extremely clever miscreant might change the ship-to address on your order from your address to his address, so that your order is correctly billed to your credit card, but shipped to a different address than you intended. The same SSL encryption which guarantees that you are communicating with the right server (authentication) also guarantees that the information sent from one end to the other has not been modified in transit. Any changes will cause the decryption (the "decoder ring") to fail, and you'll just see gobblety-gook again.