I don’t want to freak you completely out, but I can most likely read your email. Well, not from here, but if you’re on an unsecured WiFi connection, I can run a little program that can “sniff” the bits of data you’re sending over the network, and reassemble them into whatever it is you just sent. Email is not encrypted usually, so I don’t need to be the NSA to grab it out of thin air. This is why you should never send sensitive data over email, and NEVER send anything sensitive over an unsecured network.
Most of the web, and mobile applications, work exactly the same way as email. Data flying through the air can be plucked out by a savvy 15 year old who wants your credit card number to buy beer and a new MacBook Pro (or whatever it is that 15-year-olds want to buy… I honestly have no idea…) As a result, you want to make sure that if there is anything sensitive about your site or app’s data, it’s encrypted. In fact, it’s not a bad idea to just encrypt everything sometimes, just to be safe.
So what is encryption? And how do you encrypt your data? Well the simplest way is with an SSL certificate. This is a small computer file that contains an association between a company or person and a cryptographic key. This key is basically a part of a really big math problem that has been removed from the rest of the math problem, and stored on your computer or server. So, like a key in a lock (or a little like a decoder ring), when the key is entered into the math problem, it should solve to the correct answer. These pairs of keys and locks are so big that they’re basically impossible to solve. If you can now imagine you’ve opened a door on your side, and another door on the side of the world, you have an encrypted corridor between the two… also called a secure connection.
You’ve all seen evidence of them – that little lock in the corner of your screen when you’re checking out of an online store? Well at least hopefully it’s there. That lock is the symbol your browser (IE, Firefox, Chrome, Safari, etc) uses to tell you that there is a secure connection in place, using a “issuer” that they recognize. An issuer is basically just a company that sells SSL certificates to software developers like us.
SSL certificates are not difficult to make. I can generate one on my Mac in half a second, and it’s impossible to crack. So why do I have to buy one? Well, that is contentious topic, but the answer comes down to trust. I can create my own SSL certificate, install it on a web server, and then process credit cards through it, and it would be as secure as a $100 per year certificate from a top issuer. But the problem is that your web browser is not going to have heard of “The Great Sourcetoad SSL of Tampa Florida” – and so they’re going to take the attitude that we are a crazed bunch of hackers, out to steal your credit card so we can buy beer and MacBook Pros (so maybe we do have something in common with the 15-year-olds).
The issuers (companies like Thawte, VeriSign, GeoTrust, and Comodo) took their certificates to Microsoft, Google, Apple, and Firefox and asked them to “sign” their certificates. Basically giving them the OK so that their browsers didn’t throw up “Untrusted Connection” errors every time they were used. These companies also insure their certificates as well, which is nice. These insurance policies are in the case that your system gets hacked, and the breach was due to the hacker breaking the encryption on the certificate. I’ve personally never heard of this happening, nor could I find any articles about it happening (granted I only spent a few minutes looking, but still.) This is because hackers normally aren’t going to even try to take on a system at the strongest point of security, but will try and find some other way to get in. And considering that SSL certificates cost anywhere from $50 a year to $1,500 per year, it’s a good business to be in.
The three main types of SSL certificates are Standard, EV, and Wildcard certificates. Standard certificates give you that little lock in the corner of your screen and are associate with a single domain name. So https://sourcetoad.com would be $30, and https://clients.sourcetoad.com would be another $30. Sometimes these certificates will throw in the www for free, but for some that’s extra.
Wildcard certificates are the same as standard certificates, but they allow you to use the certificate on any subdomain you like. So $150 would allow you to do https://sourcetoad.com, https://clients.sourcetoad.com, and https://kittens.sourcetoad.com (which would be awesome!)
Finally, EV certificates are like standard certificates, but they make that lock in the top corner go green… and that’s pretty much about it. Here is an example from Thawte:
These certificate look cooler and cost a lot more money. Usually over $150 a year or more. They come with better insurance (which you’ll never need anyway) and they do have some slightly newer technology in them. They are also a bit more difficult to get. You have to send in some forms, and someone from the issuer calls you on the phone and makes you promise you’re a good person, but that’s about it. They do look really cool though.