First: HTTPS:// HTTP:// . Do you see the difference? Of course, one has an S at the end, the other does not. The S stands for secure. All you have to remember is: it stands for your security.
SSL or Secure Sockets Layer was first established by Netscape and is the web standard for exchanging sensitive information between a server and your computer (the client). SSL is now supported by all leading browsers: Internet Explorer, Mozilla, Firefox, Safari, Opera, Chrome and others.
When you connect to a secure server, your browser asks for the server’s digital Certificate of Authority. This certificate authenticates the server’s identity as a secure server and ensures you that you will safe in transmitting sensitive to that server and receiving sensitive data from that server. It assures you that you are not connecting to an imposter site or communicating with a hacker.
Every time you conduct a session with a secure server, a session key is created. The current web standard is for a 128-bit session key to be issued at the beginning of the session. No one can break into that session without that randomly generated 128-bit session key. The only two computers that know the key for that session is your computer and the secure server. There’s absolutely no way anyone can “hack” into that session, or “spy” on it. The 128-bit session key has 2 to the 128th power or 2 x 2 x 2 (128 twos) characters. No hacker or criminal, even if they were using a bank of super computers, using brute force password crackers, could break the security of your session. When the session is over, the key expires. If you need to go back to that server to make another transaction, you’ll have to go through the authentication process all over again. Fortunately, all this authentication and the issuance of the session key happens so quickly you don’t notice a thing. But behind the scenes, your computer is verifying the secure server’s authenticity, and the server is generating and exchange a unique 128-bit session key known only to your computer and the secure server.
Here’s a really good explanation of 128-bit encryption that should give you some idea how secure your transactions are online. The following appeared in an article was written by the folks at Inet. You can read the rest of the article here.
“…SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that even if someone did manage to decrypt a transaction, that would not mean that they would have found the server’s secret key; if they wanted to decrypt another transaction, they’d need to spend as much time and effort on the second transaction as they did on the first. Of course, they would have first have to have figured out some method of intercepting the transaction data in the first place, which is in itself extremely difficult. It would be significantly easier to tap your phone, or to intercept your mail to acquire your credit card number than to somehow intercept and decode Internet Data.
Servers and browsers do encryption ranging from a 40-bit secret key to a 128-bit secret key, that is to say ‘2 to the 40th power’ or ‘2 to the 128th power’. Many people have heard that 40-bit is insecure and that you need 128-bit to keep your credit card info safe. They feel that using a 40-bit key is insecure because it’s vulnerable to a “brute force” attack (basically trying each of the 2^40 possible keys until you find the one that decrypts the message). This was in fact demonstrated when a French researcher used a network of fast workstations to crack a 40-bit encrypted message in a little over a week. Of course, even this ‘vulnerability’ is not really applicable to applications like an online credit card transaction, since the transaction is completed in a few moments. If a network of fast computers takes a week to crack a 40-bit key, you’d be completed your transaction and long gone before the hacker even got started.
Of course, using a 128-bit key eliminates any problem at all because there are 2^128 instead of 2^40 possible keys. Using the same method (a networked of fast workstations) to crack a message encrypted with such a key would take significantly longer than the age of the universe using conventional technology. Remember that 128-bit is not just ‘three times’ as powerful as 40-bit encryption. 2^128 is ‘two times two, times two, times two…’ with 128 two’s. That is two, doubled on itself 128 times. 2^40 is already a HUGE number, about a trillion (that’s a million, million!). Therefore 2^128 is that number (a trillion), doubled over and over on itself another 88 times. Again, it would take significantly longer than the age of the universe to crack a 128-bit key…”
When identity theft occurs, it does not occur during a secure transaction. Buying and banking online is as safe (or safer) than driving to your bank and doing your banking there – or using your credit card while shopping at your local mall or shopping center. If you listen to those selling some security software, like firewalls, or like the “Rapport” service, or anti-phishing programs (remember all current versions of the most popular browsers already have anti-phishing protection), you’d think you were in danger of losing everything every time you made a transaction online. It’s just not true. It’s an example of using scare-tactics and half-truths to create artificial markets. These fear-mongering software developers create fear and then make money from that fear. It’s a shameles and endless game. These software developers are like the charlatan snake oil salesmen of old. But you don’t have to fall pray to their fear tactics. Learn all you can about your computer and the Internet; educating yourself is the best way to ensure that you’ll never fall pray to these shameless snake oil salesmen. Billions of dollars are wasted by fearful Internet users who don’t understand the way the Internet works and who think the answer to their safety online is to load up their computers with useless software proffered by fear mongers whose real motivation isn’t protecting users from harm, but lining their own pockets.
Remember, any time you do online banking, online shopping, or conduct any transaction which requires you to enter your social security number, credit card numbers, or any other kinds of sensitive data, make sure the URL (web address) starts with HTTPS:// and not HTTP://. And don’t click links in email that ask you to click to change your banking or credit card information or password. No bank or credit card company is going to send you an email asking you to click a link in an email and verify your password or information. If a bank or other financial institution requires action from you, they’ll ask you to login to your account – not click a link in email. Never click links in email that appears to come from a bank, payment service, credit card company or other financial institution – no matter how authentic it looks. There’s a 99% chance that that email is a phishing email – do not fall for it.
As in life, on the Internet education is key. The more you know, the safer you’ll be – and without wasting money on useless software.