Technical Guides   • ICP Operations • Reliable Measurements • Sample Introduction for ICP-MS and ICP-OES • Elemental Analysis of Zeolites • Silver Stability Facts • Pure Chlorite Developed by IV • Mercury Stability Facts • Part-Per-Billion Stability Study • Understanding Error Budgets     Consumer Guides   • Flexible Expiration Dates? • Investigate Credentials Before You Buy What Makes a Site Secure? • Hazardous Shipping Guide • Certificate of Analysis Components • Expiration Facts You Should Know • Regulating Hazardous Materials • Credit Card Advantage • Shelf Life vs. Expiration Date     Quality Management   • NIST Traceability • ISO Simplified • Transition From QS-9000 to ISO/TS 16949:2000 • Lean Operations to Trim Expenses • Impressions of Southeast Asia's Quality System     Editorials and More   • New Evaporation Device Shows Promise • Site More Friendly to Users • Industry After September 11th • Ion Chromatography SRMs in Danger

Fact:  Shopping online is no less safe than shopping in a store or by mail. As more companies begin to purchase online, Internet security has become even stronger. Consumers want a guarantee that their information will remain safe and secure while it rides the Information Highway. This guarantee comes in the form of SSL technology.

SSL Technology in Action

SSL (Secure Socket Layer) is the industry standard for protecting Web communications. SSL technology is easy to detect when you know what to look for. To be sure the information you send is secure, check for the following:

• The Web address (top of browser) begins with "https:" rather than "http:"
  
  
• A padlock icon appears in the Status Bar (bottom of browser)
  
  

As a rule of thumb, perform the above checks whenever you're on a page that prompts you for credit card information and other sensitive data.

NOTE:  SSL is typically used ONLY when sensitive information is being transmitted. Most Web pages avoid data encryption in favor of better download times.

The Basics of SSL

What does SSL technology really do to protect information?

Data Encryption:

SSL protocols encrypt information using a technique called public key encryption. This technique uses a pair of asymmetric "keys" for encryption and decryption. Each pair of keys includes a public key and a private key. Data "locked" with the public key can only be "unlocked" using the private key and vice-versa. Generally, the public key is a fixed value assigned to the corporate Web site from which you're purchasing. As its name implies, it is public and can be accessed by anyone. The private key is composed of a string of numbers and letters randomly generated to accompany each piece of secured information you send.

There are two varieties of SSL; 40-bit encryption and 128-bit encryption. This number refers to the length of the private key. The longer the key, the harder it is to crack the encryption code. Because 128-bit encryption is not yet universally supported, most e-commerce sites (including our own) use 40-bit encryption. Although 40-bit encryption is not as strong as its 128-bit cousin, the security it provides is over 99% effective.

Server Authentication:

Authentication is the process of verfying identity so that the consumer can be sure that the selling party is who it claims to be. But if the public key can be accessed by anyone, how can you be certain that the company you're purchasing from isn't just some hacker who's using the public key of a legitimate company?

To solve this problem, the standards community invented what's known as a digital certificate. A digital certificate's primary function is to permanently bind a public key to a name. Any business that applies for a digital certificate is thoroughly inspected to be sure it's a legitimate company. All certificates include the following information:

• The certificate issuer's name (i.e. - a trusted organization, such as Thawte or Verisign)
  
  
• The entity for whom the certificate was issued (i.e. - the company)
  
  
• The Web address
  
  
• The public key
  
  
• The dates of validity
  
  

Digital certificates must be renewed every year (for a moderate fee). This helps the certifying bodies to keep accurate records and further ensures the validity of a business. You can access a company's digital certificate by double-clicking on the padlock icon in the status bar. Figure 1 shows the general information for our digital certificate.

Fig. 1:  Certificate Information for ivstandards.com (2002-2003)

Message Integrity:

To further ensure the security of electronic transactions, message authentication codes (MAC) are used. A MAC is a piece of data that is computed by using a "secret" sent along with the transmitted data. This secret can only be decoded with the private and public keys.

Remember, the private key is a value that is temporarily generated to be used by the consumer. The public key proves (via a digital certificate) that the selling entity is in fact a legitimate company. Let's say that information transmitted between the two is stamped with 128-bit MAC values. The chances that someone other than the consumer (with the private key) or the company (with the public key) can decipher these MAC values are approxiamtely 1 in 18,446,744,073,709,551,616 -- for all practical purposes, never.

Additional Resources

Visit the following sites for more information about safe Internet shopping and securing your online information:

• Safeshopping.org - Informational site by the American Bar Association.
  
  
• Shop Safely Online - Facts for consumers from the Federal Trade Commision.