Allowing user interaction with your server is great. But it's also a hacker's favorite hunting ground for unsecured data. This lesson will be about how to stop hackers from stealing your data. No code today, it's just going to be a lecture.
What is a man-in-the-middle attack?
It's a peeping tom with binoculars. He lives across from you but watches your every move. With SSL, you wear a disguise so he doesn't recognize you.
A hacker "sniffs" your internet traffic and sees everything that goes on between the user and the server. They watch you sending emails, submitting forms, watching YouTube or downloading porn. When you login to your favorite website, they snag your password. This usually happens at public unsecured wi-fi spots like internet cafes.
What is SSL?
SSL stands for Secure Sockets Layer. It gives browsers instructions to encrypt the data before sending it to the server. Anybody looking in will see a garbled mess. All modern browsers support SSL including Firefox, Internet Explorer 5+, Opera, Safari and Chrome. I won't go into the actual details because it's probably way over your head with computer jargon, but the general idea is to ensure that only the website server gets access to the user's data.
Can SSL encryption be hacked?
Possible? Yes. Probable? Depends. Browsers encrypt the data and the server decrypts it. If the server can do it, so can anybody else. Some companies like VeriSign build for security. The ones you build on your own might be a little less secure.
How do I know a website has SSL?
Check the URL. If it says http:// then the website does not have SSL. If it says https:// then the website has SSL.
If the browser detects an error with the certificate, then it should automatically throw up a giant warning message.
What is VeriSign?
VeriSign is a certificate authority that also offers SSL. They are trusted by a lot of websites, even banks.
What is a certificate authority?
Certificate Authorities are companies that provide their own digital certificate. They ensure that the website really belongs to a certain company and is not a phishing or scamming site. With SSL, they also ensure that only the website owner gets the data and nobody else. They must be trusted by both the website owner and user.
What is a digital certificate?
A digital certificate is your id on your website. When you do something important at the bank, they are going to want to see photo id before helping you. If someone knocks on your door claiming they're the police, you should check their badges before opening the door. When someone wants to buy something from your website, they're going to want to see some sort of id before they give you their credit card information.
Can I trust VeriSign?
If big banking websites trust them, then I think you can too. A better question is, can they trust you? Certificate authorities sell their reputation for a living and they don't want anybody to ruin it. They probably need to invoke their right to refuse service often. If they vouch for you and you turn out to be a hacker, the media backlash alone would be enough to drive them out of business, not to mention the lawsuits for vicarious liability.
What if VeriSign goes rogue?
Then the internet will be in very deep shit.
Can't I just steal the VeriSign logo and stick it on my website?
Please contact your local defense lawyer for assistance. You are charged with fraud and copyright infringement. Your court date is next week.
If they're so great, why don't you use them?
Because my site isn't worth the effort to hack. That, and because I'm just some kid living in a basement so they probably wouldn't sell even if I tried to buy a certificate.
I'm too cheap! Can I create my own digital certificate?
Yes. It's called a self-signed certificate or self-signed SSL certificate. Go Google it if you want to make one. Obviously it's better to have a more reputable company behind your website. If you go into a job interview and tell them the president is your reference, it's probably going to hold more weight than if you told them your mom is your reference.
Of all the tricks you can try to stop hackers, SSL is your first and best line of defense. Without SSL encryption, there's only so much you can do against man-in-the-middle attacks.