Myth 1. SSL certificates provide user security
Wrong. An SSL Certificate does not make a website secure. Remember that the whole point of a certificate is to ensure the data travelling between the browser and the server is protected. Once the data has arrived at its destination there is no knowing what happens. Contrary to popular belief, SSL does not safeguard the data when it is at rest.
The secondary role of SSL is to enable a website to prove that it is legitimate. It establishes that the site is who it claims to be, as it has to have been vetted by a Certificate Authority. The truth of the matter is there is very little vetting involved -- more in Myth 3.
Myth 2. SSL certificates are unbreakable
Wrong, SSL is very breakable. My favourite example of this was when a group of hackers broke the 128bit golden standard by using a bank of 200 PlayStations. These cybercriminals exploited a flaw in the MD5 algorithm used by most certificate authorities. This allowed the hackers to create and issue their own certificates.
There has also been a number of high profile "man in the middle" attacks, where a hacker sits between the web browser and the server intercepting the data. Even the new Extended Verification certificates (indicated by the green bar in the browser) are susceptible.
Myth 3. SSL proves a website is authentic
Correct, but do you or your visitors check? Having an SSL certificate means at some point someone has validated who you are. However there are many different types of SSL certificate ranging from those costing £20 a year, all the way up to hundreds of thousands. Not surprisingly, the amount of validation conducted varies with each certificate type.
Myth 4. SSL is all you need to accept credit card data
Wrong. SSL is perfectly acceptable for the encryption of credit card data, but it's what happens next that's important. I have spoken to many merchants that naively believe SSL is enough. Remember SSL has nothing to do with securing the data once it's on your server.
In fact, if you are storing card data yourself you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Becoming PCI compliant is a huge undertaking., so the simplest approach is to use a PCI-compliant Payment Service Provider (PSP) (like RBS WorldPay or Sellerdeck Payments), and in that case an SSL certificate isn't required.
SSL certificates have been with us for a long time, and they remain the best and most secure way to prove a site's identity and encrypt data while on the move. However, security is more than these two points and for your customers' sakes it's important that you understand SSL and go beyond this basic start point.
The article was written by Ben Dyer of E-Commerce supplier Sellerdeck. Originally published on The IT Donut.