Secure Socket Layer (SSL) and Transport Layer Security (TLS) are critical to ensuring that systems are secure when communicating information between sources, such as merchant services transactions and online payments. What are SSL and TLS and how do they affect your business?
By Brian Chow, Chief Technology Officer
You’ve probably heard about Secure Socket Layer (SSL) and Transport Layer Security (TLS). You may have even gotten a notice that you are required to upgrade some of your software for your merchant services to TLS 1.2, but what is it? In the most basic terms, TLS and its predecessor SSL are methods for securing the communication online, operating in similar fashion to create a secure and encrypted communication channel between two points. These two points might consist of your customer’s web browser and your online store. They may also be between your Point of Sale system and your Merchant Services Provider.
When a client system connects to a secure server system, the first thing that happens in a negotiation process. This negotiation determines which version of SSL/TLS to use, which encryption (or cyphersuites to be more specific) is used, and which compression methods are desired. Within this process, the client advertises which versions of SSL/TLS and which cyphersuites it supports, and the server then picks the highest version of SSL and the most preferred cyphersuite that both ends support. Optionally, a compression method that is supported by both sides is also selected.
After this negotiation process, the server sends its SSL certificate. This SSL certificate is cryptographically signed, and the signer must be trusted by your browser, merchant services software, or whatever may be initiating the connection to the secure server. There are many trusted 3rd party signature companies, such as Digicert, Comodo, or Geotrust. Sometimes those companies say they implicitly trust another company, such as GoDaddy, who can issue certificates that are signed by them along with another certificate, called an intermediate certificate, that says GoDaddy’s signature is in turn trusted by GeoTrust, which the client’s system already knows and trusts. This is called the trust chain.
This entire process is to ensure that the client is talking to the correct server, and not a rogue server impersonating the true server, or intercepting the communication, also know as a “man-in-the-middle”. Once trust has been established, the encryption keys are exchanged and from that point on, all data communicated between the systems is unreadable to any parties that the traffic passes through between them. Using this system, both the client and server will know if someone attempts to tamper with the data being passed back and forth.
So, now that we know the overview of how SSL/TLS works, why are people getting notifications that they must upgrade? Well, simply put, the SSL/TLS specifications get improved over time, and processors are doing their due diligence to ensure they are using the latest, most secure methods. Older versions may have cryptographic of implementation flaws that allow them to be defeated, and using the latest version ensures everyone is doing all they can to prevent malicious people from intercepting and/or stealing your personal and confidential information. Beyond that, many merchant services companies have upgraded their SSL certificates identifying their servers, and some software packages need to have their trusted certificate storage updated so that they can communicate with the servers.
Just as the merchant services companies are using secure SSL certificates and TLS for their online communications, so should you and your business. If you have an e-commerce site, having a trusted SSL certificate will give your customers some piece of mind knowing that their information won’t be intercepted. At a minimum, it places a little padlock icon in your customer’s browser when they navigate your site, and optionally, with extended business validation, can turn the whole bar green. This tells the customer that you have been verified by a 3rd party and are who you say you are, giving them confidence that they know who they are dealing with, and possibly, giving you an edge over your less secure competitors.
Brian Chow is the Chief Technology Officer for New West Technologies, Inc. and has over 20 years in the tech industry, including time with IBM, Microsoft, and Intel. His passion for technology extends from the workday into his hobby time, building microcontroller and embedded systems based projects, just for fun. When he’s not immersed in his most current tech project, Brian is also an avid Portland Timbers fan.