E-commerce has flourished because of the ability to perform secure transactions online using the proper tools. These tools are public key encryption and digital certificates.
Public key encryption uses SSL (Secure Sockets Layer) to encrypt all data between the customer's computer and the e-commerce website. Information is sent in encrypted form to the site using the site's public key. Upon receiving the information, the site uses its private key to decrypt the information. This is called a key pair. Interlopers that might capture data en route will find it unreadable.
The problem, however, is that anyone can create a website and key pair using a name that doesn't belong to them. This is where digital certificates come in. Digital certificates are trusted ID cards in electronic form that bind a website's public encryption key to their identity for purposes of public trust.
Digital certificates are issued by an independent, recognized and mutually trusted third party that guarantees that the website operating is who it claims to be. This third party is known as a Certification Authority (CA). Without digital certificates, the public has little assurance as to the legitimacy of any particular website.
A digital certificate contains an entity's name, address, serial number, public key, expiration date and digital signature, among other information. When a Web browser like Firefox, Netscape or Internet Explorer makes a secure connection, the digital certificate is automatically turned over for review. The browser checks it for anomalies or problems, and pops up an alert if any are found. When digital certificates are in order, the browser completes secure connections without interruption.
Though rare, there have been cases of phishing scams duplicating a website and 'hijacking' the site's digital certificate to fool customers into giving up personal information. These scams involved redirecting the customer to the real site for authentication, then bringing them back to the duped website. Other phishing scams use self-signed digital certificates to dispose of the trusted third party or Certificate Authority altogether. The issuer of the digital certificate and the signer are one in the same. A browser will alert in this case, but most users click through anyway, not understanding the difference.
Digital certificates play an integral role in keeping online commerce safe. If your browser alerts you to a problem with a digital certificate, you are well-advised not to click through. Instead, call the business using a telephone number from your statements or phone book, and inquire as to the problem.
Not all Certificate Authorities are equal. Some CAs are newer and less well known. Two examples of highly trusted CAs are VeriSign and Thawte. If your browser does not recognize a Certificate Authority, it will alert you.
