|
|
|
SSL
|
|
|
How SSL Encription Works
Gateway uses the industry standard security protocol Secure Sockets Layer (SSL) to encode sensitive information like your credit card number that passes between you and Gateway. SSL works by creating a temporary, shared "key" (sort of a digital code book) that lets only the computers on either end of a transmission scramble and unscramble information. To anyone between the sender and the receiver including all the servers that may relay the message the SSL transmission is indecipherable gibberish.
Gateway feels SSL makes ordering online just as secure as using your credit cards anywhere else. In fact, after thousands of online transactions worth millions of dollars, no Gateway client has ever reported misappropriation of a credit card number protected by SSL technology.
Here's how Secure Sockets Layer works:
Exchanging "Hellos"
When your browser lands on a secure Web page, the server hosting the secure site sends a "hello request" to the browser. The browser replies with a "client hello." In networked environments (and the Web is the granddaddy of all networked environments), individual PCs are often called "clients." The server, ever the polite one, responds with a "server hello."
Exchanging all these "hellos" lets your browser and the Web page determine the encryption and compression standards they both support. They also exchange a "session ID," a unique identifier for that specific interaction. Once they have greeted each other, the browser asks for the server's "digital certificate." It's the online commerce version of saying "Can I see some ID, please?"
A Digital Certificate
Online companies get digital certificates from a Certificate Authority, like RSA Data Security Inc. or VerSign Inc. A Certificate Authority verifies a company's identification and then issues a unique certificate as proof of identity.
Sharing the Key
After your browser and our server have shaken hands and your browser has checked our digital certificate, your browser uses information in our digital certificate to encrypt a message back to us that only our server can understand. Using that information, the browser and the server create a "master key." This master key is like a codebook that both sides can use to encode and decode transmissions. Only your browser and our server share that master key and it's good only for that session. Using the unique, shared key, your browser and our server can exchange sensitive information, like your credit card number, in a way third parties can't understand.
When you surf off a secure site, the master keys you once held in common become useless, since they are good for one session only. When you go back to the secure site again, your computer and the server will go through the whole process again and create another master key.
Knowing when you are on a secure site
You can tell when you're on a secure site by looking at the drawing of a padlock or key somewhere along the bottom of your browser's window. If the key is unbroken or the lock is closed and golden or glowing, that means you're connected under the cloak of SSL security.
Double-clicking on the lock lets you confirm that you're connected to a secure site and view the site's certificate to make sure for yourself that the name on the certificate matches the company you think you're connected to. Most browsers can also be set to alert you when you enter and leave a secure site.
Is it Safe?
The legal department goes crazy when we speak in absolutes, but SSL makes your online purchases extremely safe. The way to break an SSL encryption is with brute force by intercepting the encrypted message containing your credit card number, recording it and then use a computer to try every possible combination until the master key is cracked. To combat even that approach, most keys range from 40 to 1,024 digits long (each digit is either a 1 or a 0). As the number of digits in the key gets longer, the number of possible combinations grows into the trillions. Therefore, the longer the key is the more secure it is.
We believe strongly in the safety of SSL. Encryption technology continues to evolve, however, so Gateway will continuously review ways to improve security, including new, even more bulletproof encryption methods.
|
|