Hacker Safe		100% Secure Shopping

SSL Defined
Secure Sockets Layer (SSL), originally developed by Netscape Communications, is an information technology for securely transmitting information over the Internet. The SSL protocol has become the universal standard on the Web for authenticating Web sites to Web browser users, and for encrypting communications between browser users and Web servers.

Server certificates are available from Certificate Authorities (CAs) such as (GeoTrust / Equifax Secure Global eBusiness CA-1) - trustworthy, independent third parties that issue certificates to individuals, organizations, and Web sites. CAs use thorough verification methods to ensure that certificate users are who they claim to be before issuing them. CA's own self-signed SSL digital certificates are built into all major browsers and Web servers, including Netscape Communicator and Microsoft Internet Explorer, so that simply installing a digital certificate on a Web server enables SSL capabilities when communicating with Web browsers.

SSL server certificates fulfill two necessary functions to establish e-commerce trust:

• SSL server authentication: Server certificates allows users to confirm a Web server's identity. Web browsers automatically check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) - such as GeoTrust - included in the list of trusted CAs built into browser software. SSL server authentication is vital for secure e-commerce transactions in which users, for example, are sending credit card numbers over the Web and first want to verify the receiving server's identity.
• SSL encryption: SSL server certificates establish a secure channel that enables all information sent between a user's Web browser and a Web server to be encrypted by the sending software and decrypted by the receiving software, protecting private information from interception over the Internet. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering: that is, for automatically determining whether the data has been altered in transit. This means that users can confidently send private data, such as credit card numbers, to a Web site, trusting that SSL keeps it private and confidential.

How SSL Server Certificates Work
SSL Certificates take advantage of SSL to work seamlessly between Web sites and visitors' Web browsers. The SSL protocol uses a combination of asymmetric public key encryption and faster symmetric encryption.

The process begins by establishing an SSL "handshake" - allowing the server to authenticate itself to the browser user, and then permitting the server and browser to cooperate in the creation of the symmetric keys used for encryption, decryption, and tamper detection:

1. A customer contacts a site and accesses a secured URL: a page secured by a SSL Certificate (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser). This might typically be an online order form collecting private information from the customer, such as address, phone number, and credit card number or other payment information.
2. The customer's browser automatically sends the server the browser's SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL.
3. The server responds, automatically sending the customer's browser the site's digital certificate, along with the server's SSL version number, cipher settings, etc.
4. The customer's browser examines the information contained in the server's certificate, and verifies that:

If the server cannot be authenticated, the user is warned that an encrypted, authenticated connection cannot be established.

5. If the server can be successfully authenticated, the customer's Web browser generates a unique "session key" to encrypt all communications with the site using asymmetric encryption.
6. The user's browser encrypts the session key itself with the site's public key so that only the site can read the session key, and sends it to the server.
7. The server decrypts the session key using its own private key.
8. The browser sends a message to the server informing it that future messages from the client will be encrypted with the session key.
9. The server then sends a message to the client informing it that future messages from the server will be encrypted with the session key.
10. An SSL-secured session is now established. SSL then uses symmetric encryption, (which is much faster than asymmetric PKI encryption) to encrypt and decrypt messages within the SSL-secured "pipeline."
11. Once the session is complete, the session key is eliminated.

It all takes only seconds and requires no action by the user.

The Netscape Navigator and the Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels. If a user tries to submit information to an unsecured site (a site without an SSL server certificate), the browsers will, by default, show a warning.

In contrast, if a user submits credit card or other information to a site with a valid server certificate and an SSL connection, the warning does not appear. The secure connection is seamless, but visitors can be sure that transactions with a site are secured by looking for the following cues:

• The URL in the browser window displays "https" at the beginning, instead of http.
• In Netscape Communicator, the padlock in the lower left corner of the Navigator window will be closed instead of open.
• In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window.