E-commerce relies on public key cryptography and digital certificates to ensure secure transactions. Public key encryption uses SSL to encrypt data, while digital certificates bind a website’s public key to their identity for public trust. Certification authorities issue digital certificates, and browsers check them for anomalies. Phishing scams can hijack digital certificates or use self-signed certificates. It’s important to call the company if there’s a problem with a digital certificate. Not all certificate authorities are equal, and some are more trusted than others, such as VeriSign and Thawte.
E-commerce has flourished with the ability to transact securely online using the proper tools. These tools are public key cryptography and digital certificates.
Public Key Encryption uses Secure Sockets Layer (SSL) to encrypt all data between the customer’s computer and the e-commerce site. The information is sent in encrypted form to the site using the site’s public key. After receiving the information, the site uses its own private key to decrypt the information. This is called a key pair. Intruders who might acquire data along the way will find it unreadable.
The problem, however, is that anyone can create a website and key pair using a name that doesn’t belong to them. This is where digital certificates come into play. Digital certificates are electronically trusted identification cards that bind a website’s public encryption key to their identity for public trust purposes.
Digital certificates are issued by an independent, recognized and mutually trusted third party who ensure that the website is operating who it claims to be. This third party is known as the Certification Authority (CA). Without digital certificates, the public has little assurance that a particular website is legitimate.
A digital certificate contains an entity’s name, address, serial number, public key, expiration date, and digital signature, among other information. When a web browser such as Firefox, Netscape or Internet Explorer makes a secure connection, the digital certificate is automatically handed over for review. The browser checks for anomalies or problems and, if it detects them, displays a warning. When the digital certificates are in order, the browser completes secure connections without interruption.
While rare, there have been cases of phishing scams that duplicate a website and “hijack” the site’s digital certificate to trick customers into forcing them to provide personal information. These scams involved redirecting the customer to the real site for authentication, then returning them to the deceived website. Other phishing scams use self-signed digital certificates to eliminate the trusted third party or certificate authority altogether. The digital certificate issuer and the signer are the same. A browser will warn about this, but most users click anyway, not understanding the difference.
Digital certificates play a vital role in ensuring the security of online commerce. If your browser warns you of a problem with a digital certificate, we advise you not to click. Instead, call the company using a phone number from your bank statement or phone book and ask about the problem.
Not all certificate authorities are created equal. Some CAs are newer and less known. Two examples of highly trusted CAs are VeriSign and Thawte. If your browser doesn’t recognize a certificate authority, it will warn you.
Protect your devices with Threat Protection by NordVPN
