Security

Digital Certificates

Digital Certificates authenticate YOU, the merchant. They enable your cautious online customers to be certain they are dealing with a real organisation that actually exists i.e. You prove to them that you are who you say you are. Certifiying Authorities issue Digital Certificates after you have successfully complied with their stringent verification process. Thawte is a world-leader in issuing cost effective Digital Certificates. Secure eHost is an Authorised Thawte Channel Partner and can assist you to establish your own Digital Certificate.

You will require your own Secure SSL Server set up on our hosting servers when you establish a Digital Certificate.

Our Ecommerce Packages include use of our Secure eHost Digital Certificate and Secure SSL Server for accepting secure credit card transactions. But if you would like us to assist you to establish your own Digital Certificate please contact us for more information.

Top of page

SSL (Secure Socket Layer)

When shopping on the Internet, website visitors generally have no reliable way of knowing who owns the website (online store). When a customer visits a website with the intent of making an online purchase, they want to know whom they'll be paying. They want proof of the identity of the website owner, and they want to know that the personal information they send to the website cannot be intercepted by other Internet users. This is where SSL digital certificates come to the fore.

SSL (Secure Socket Layer) is a protocol developed by Netscape that enables a web browser and a web server to communicate securely; it allows the web browser to authenticate the web server. The SSL protocol requires the web server to have a digital certificate installed on it in order for an SSL connection to be made.

Thanks to an SSL-enabled web server and a Thawte SSL certificate, a customer connecting to a secure website is assured of three things:

Authentication: The website really is owned by the company that installed the certificate.
Message privacy: Using a unique session key, SSL encrypts all information exchanged between your web server and your customers, such as credit card numbers and other personal data. This ensures that personal information cannot be viewed if it is intercepted by unauthorized parties.
Message integrity: The data cannot be tampered with over the Internet.

By checking the details in a SSL certificate, you can assure that the website you are dealing with is in fact the website you want to be dealing with. You also know that a third party on the Internet cannot intercept your credit card or personal details.

Top of page

How to Tell if a Website is Secure

Valid certificate: If a secure SSL connection is established between the web browser and the web server, the "http" in the web address will normally change to "https", for example: http://ssl.secureehost.com.au, becomes https://ssl.secureehost.com.au.

The SSL connected browser will also display the "locked" icon. To test whether a site has a valid certificate, try to initiate a secure connection with that website by accessing the URL using the https:// prefix instead of http://.

Top of page

Browser Warnings

When you submit information to a website that does not have an SSL certificate, your browser should present you with a warning message.

If however, a website is using a valid digital certificate, then the web user will be informed that the website they are visiting has a digital certificate issued by a recognized Certifying Authority (such as Thawte), and that any data they submit to that site will be encrypted.

You browser should also display the following message when connecting to a secure webpage.

SSL Alert

By checking the certificate, the customer can verify that the website is valid and who it belongs to by clicking on the padlock icon located in the browsers bottom scrollbar.

Top of page

What is an SSL Certificate?

Below is an example of what a digital certificate looks like when viewed by a web user using Microsoft Internet Explorer browser.

SSL Certificate

Top of page

An SSL certificate contains the following information:

The domain for which the certificate was issued.
The owner of the certificate (who is also the person/entity who has the right to use the domain).
The physical location of the owner.
The validity dates of the certificate.
When you connect to a secure web server such as https://ssl.secureehost.com.au, that server authenticates itself to the web browser by presenting a digital certificate.

This authentication is quite a complex process that involves the exchange of a "public key"and the use of a "session key" for encryption. The process is seamless to the user. The certificate serves as proof that an independent trusted third party, such as Thawte, has verified that the server belongs to the company it claims to belong to. A valid certificate gives customers confidence that they are sending personal information securely, and to the right place.

Top of page

The role of Thawte

Thawte Certification issues server certificates to organizations and individuals worldwide. Thawte verifies that the company requesting the certificate is who it says it is, and that it has authorized the certificate. Thawte also checks that the company in question owns the relevant domain.

Thawte Official ISP Partner

Top of page

Encryption using WinPT / GnuPG

As an added security measure to using an SSL Certificate we also use an Ecryption/Decryption process to ensure the customer credit card details are encrypted when sent from our servers.

Our FlexeGate Online Stores and Secure Forms by default process credit card payments utilising an industry standard encryption method based on GnuPG and WinPT software.

Your customer's credit card details are encrypted before they leave our Secure Servers, which ensures maximum protection as they travel from the secure webserver via email to your office computers.

These details can then only be decrypted by you and no one else.

Encrypted Data Example

For a full explanation of the security used by our manual payment processing option see below.

WinPT (Windows Privacy Tray) is a taskbar utility for performing data encryption or decryption. This program is free software under the terms of the GNU GPL. For this WinPT uses the GNU Privacy Guard, because it's a widely and free utility for this purposes. WinPT is a so-called "Front-end" for the GnuPG. It supports all common commands for en- and decryption, key transport with the clipboard and of course to create and verify signatures.

GnuPG (Gnu Privacy Guard) is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application. PGP is a public key cryptosystem. That means that it uses 2 different keys for encrypting and decrypting data. Every user will have their own key pair (2 keys). One is called a "secret key", which is used with a secret password (called a Passphrase) to decrypt all of your encrypted order emails from your Online flexeGate Store or Secure Form. The other is your "public key", and this is given to us to integrate into your FlexeGate Store or Secure Form. Our Secure Server uses your public key to ENCRYPT your order emails before sending to you and you will then use your secret key to DECRYPT them.

Security is NOT compromised by giving out your public key and that is the beauty of the whole process. In fact, you must give out your public key to anyone who wants to encrypt a message to you. It does not matter if an adversary gains access to your public key, because all they can do with it is encrypt messages that only you will be able to decrypt. The GnuPG program is designed so that you cannot accidentally give out your secret key. GnuPG automatically brings up your secret key when it needs to so you will never have to worry about it after it is created-there is no need to select a secret key to use for decryption. All you need to do is generate a key pair and give out a copy of your public key to us.