3

I need to explain why having a SSL certificate is a good investment for an e-commerce. How do I do this when the other person is a intelligent business owner but not that tech smart?

Vlad The Improbable
  • 31
  • 2
  • 7
    Tell them if you don't have one nobody will do business with you, that's usually a driver. – GdD Jul 27 '12 at 09:48
  • Just to clarify a detail, is the question about use SSL/TLS or about having a certificate on your SSL/TLS server? – Bruno Jul 27 '12 at 22:39

8 Answers8

7

There are a couple of angles:

  • I they have no technical interest at all, the first aspect is that, as far as I know, the credit card industry requires the encryption of the transmission (and various other things). From a regulatory point of view, this should be enough to push to use HTTPS.

  • For those two want to know a bit more, first explain that plain HTTP traffic happens in clear.

    Then, if you want to run a demo, you can simulate a MITM attack, but you can also demonstrate passive eavesdropping more easily: plug a machine running Wireshark on the same router1 as their machine and show them what they're browsing. Of course, only do this if you have obtained the permission from whoever is connected to that network; make sure what you do is legal first in your jurisdiction. Then, explain that anyone with access to the network between their machine and the server could do this. To the non-technical user, this demonstrates at least the need for encryption.

    Certificates in SSL/TLS are really used for authentication, which protects against (active) MITM attacks. Depending on how much attention your users are willing to give to this demo, they may or may not need/want to see a MITM attack in the same way (you can try sslstrip or other kits, although it doesn't necessarily demonstrate the same aspect).

If they understand the need for encryption, they'll understand the need for SSL/TLS (HTTPS) on a website. Thankfully, browsers do implement certificate verification anyway when HTTPS is used, thereby protecting you from both passive eavesdropping and active MITM attacks. This makes the usage of a certificate necessary2 (I'm not sure whether your question is specifically on the certificate aspect, or more generally about having to use HTTPS).

Users must never be driven to ignore browser warnings. This also means that they'll need a certificate that's recognised by most browsers by default (this is why an e-commerce website shouldn't use a self-signed cert). PKIs and CAs have their flaws, but they're overall a reasonable compromise for most users.

Then, whether you want to go for an EV certificate or not is up to you. CAs certainly have a vested interest in promoting them. I'm not sure whether this is working, but their marketing is certainly well done and should work for someone who uses their brochures as a starting point without wanting to know too much.

In addition to all this, an e-commerce website should be implemented correctly: no mixed content in particular. Secure cookies are good too. Use HTTP Strict Transport Security if you can.

1. I use that term loosely here, assuming a home router, that's also acts as a hub/switch.

2. I'm not sure any browser supports null ciphers or certificates other than X.509 anyway. They certainly don't with the default settings

Community
  • 1
Bruno
  • 10,765
  • 1
  • 39
  • 59
2

Use SET (Social Engineering Toolkit) from Backtrack to clone the front page of the Bank that business owner has account into. Setup it on a Apache server on port 80.

Make a DNS poisoinig attack or MITM (ARP) and tell the business owner to log in to his bank account. In the mean time fire up tcpdump -X -s0 and show him his username and password.

Tell him this would much harder if the connection would be encrypted :)

mnmnc
  • 370
  • 2
  • 8
1

Your customers will feel more secure when they are making purchases using a SSL connection. Even if your customers do not understand what SSL is, they can visually see the secure connection. The secure connection may look like a lock or something green. Green is good?

The biggest real advantage is that it's harder to perform MITM because they need to strip the SSL layer off to do so. Public networks will not simply be able to see your clear text data. However, customers probably will net make purchases over a public network.

ponsfonze
  • 1,332
  • 11
  • 13
0

SSL encrypts the traffic between the client and the server. Without it, all the communication is in plain text, including password, credit cards details and etc. Probably the simplest explanation I could think of :)

Gediminas
  • 101
  • 1
  • 1
    You don't have to buy a certificate in order to use SSL, you can use a self-signed one. I don't think Vlad's asking about explaining SSL, but why they should buy a certificate. – GdD Jul 27 '12 at 10:05
  • 1
    It's a bad idea to use a self signed certificate for an eCommerce website. – ponsfonze Jul 27 '12 at 15:48
  • SSCs have no third-party verification. They're useful when the two computers can be "introduced" in a secure setting and exchange the certificate, which the client can then trust implicitly. But when a user's browsing to your website from home, your S-S certificate is no more trustworthy than the one from the guy in China who's hacked a DNS to redirect requests for your site to his server. – KeithS Jan 15 '13 at 00:52
0

An SSL certificate is a conformance requirement. Not having one is a liability. Furthermore, SSL certificates are free.

If you tell him that and he does not get a SSL certificate right away, then he really should not try to do e-commerce.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    StartSSL doesn't officially provide free certs for eCommerce sites. When I've requested certs from them for domains that contain words like "shop" or "sale" in the name, they get flagged for review and then rejected. From an email I received after inquiring why: "Thank you for requesting a digital certificate with us. However Class 1 certificates are not meant to be used for commercial activities or financial transactions. For this purpose please consider upgrading to Class 2 or higher verification level." Even when not flagged, using their certs this way is probably a violation of their TOS. – Chris Kuehl Jan 16 '13 at 23:45
0

First off, an HTTPS-enabled site, which requires an SSL certificate, is flat required for PCI compliance, which is in turn a requisite enforced by the credit card companies and servicers for accepting credit card payments on the site. So if you want your users to pay you via website using something you control (and not just PayPal integration), you're getting an SSL certificate.

Second, an X.509 certificate signed by a CA, and HTTPS transport for the entire site, not just the payment sections, will reduce bounce rate by telling your users that they're in the right place. Most browsers will add some special touch to the Address bar when a site's SSL certificate checks out; Chrome turns the HTTPS:// text green and gives you a green lock, while IE shows a gold lock in with the other icons.

Third, if you go the extra step and get an EV-SSL certificate (which requires a rigorous proof of identity for not only the server and domain, but the company that is receiving the certificate), then your users' browser bar turns green, identifying your site, and you as a company, as having VeriSign's highest level of proof of identity. That will further reduce bounce rate as your users will be very confident of your site.

Be aware that an SSL certificate is only half the equation; your site must also be providing 100% of the displayed content of every page over that HTTPS channel. That usually means that your site must host or proxy all of the displayed content, including third-party ad banners, social media controls, etc.

KeithS
  • 6,678
  • 1
  • 22
  • 38
0

SSL certificates for a website help user to know that they are on a trusted and genuine website that will not steal any of their information .SSL important for e-commerce website because at the time of payment everyone looks for a secure connection so that the private and most import information like credit card number or CVV number is not illegally stolen , so ssl confirms that the website is taking its security measures to keep the private data safe.Moreover it helps in encryption of traffic to keep the data transmission safe.

Skynet
  • 598
  • 5
  • 12
-1

SSL Certificates are designed to do two things:

1) Provide verification to the end user that the site that they are visiting is legitimate (and the site is who they claim to be). Because of the verification process that is involved in obtaining the certificate.

2) Provide the Public Key necessary to encrypt traffic between the users Web Browser and the Server.

Granted, both of those items can be circumvented. But having a certificate installed is much much better than not having one. Especially for an E-commerce site.

EDIT: Clarification to point 2, suggested by bruno

MCR
  • 101
  • 1
  • 1
    No, certificate have nothing to do with the encryption side of SSL/TLS, that's done by symmetric keys negotiated during the handshake. The point of the certificate is to perform this key exchange with authentication. – Bruno Jul 28 '12 at 12:38
  • You still have point 2 wrong: the certificate's public key is not directly involved in the encryption; the encryption key is randomly generated at the beginning of the session. The certificate's key pair is used to encrypt the session key to send it to the other party in some TLS modes (most modes use Diffie-Hellman instead). And it is important to avoid a man-in-the-middle: without the server authentication (your point 1), the parties would have no way to know whether they had agreed on a secret key between them or whether they'd separately agreed with a MitM. – Gilles 'SO- stop being evil' Jul 31 '12 at 08:48