The Internet Guys logo

By Jim Gerland and Mark Winer

Check out our bi-weekly Net perspective. Our goal is to make these columns useful for our readers whether they be novice or pro, while still offering a fun to read column. Feel free to let us know what Internet resources you find useful in your personal, educational, or business life - it might just end up in one of our columns!


Privacy for Your Internet Electronic Commerce
September 24, 1998

We have always been of the opinion that using your credit card over the Internet to buy stuff was safe. We still have that onion but now we add a few caveats. You should make sure you're dealing with a trusted vendor on the other end of your Internet connection. Buying software from the Micro Warehouse, www.microwarehouse.com , clothing from L.L. Bean, www.llbean.com , or books from Amazon.com, amazon.com, is safe in so far as they all use Secure Sockets Layer (SSL) on their web servers to encrypt your information before it leaves the machine your web browsing is running on to travel over the Internet to their machine where it is then decrypted, stored, and verified. There are many web sites out there, though, they do not use SSL. Those are the vendors you should hesitate to provide your credit card information for over the web. A good place to learn more about SSL is Yahoo! in their Internet Security section. Visit yahoo.com and do a search on SSL. An excellent "white paper" called "Securing Your Web Site for Business" can be found on the Verisign, Inc. site, www.verisign.com/whitepaper_24/ .

Unfortunately, just because a web site uses SSL does not guarantee that your information is secure. You may be getting a false level of comfort. Many vendors on the web who use SSL to encrypt your information don't continue the encryption process through to the end of the transaction. Once they get your encrypted information from your web browser down to their machine and decrypt it they then proceed to email it to some address without encrypting the mail message. This often happens when the vendor your dealing with is not running their own web server but, instead, is renting web space and services from a larger web hosting service provider. So, the actually processing of your order happens at the vendor's office and you information needs to travel from the secure hosting site to the vendors supply site via email.

Not all vendors are this insecure though. More and more businesses who want to participate in electronic commerce are turning towards their web hosting providers and asking that they install software, such as PGP, to encrypt the mail messages between their site and the host where their web store is located. PGP (Pretty Good Privacy), web.mit.edu/network/pgp.html, is a high security software application that allows you to exchange encrypted email messages with a high level of privacy and certainty that the person sending you the message is who they claim to be. This is know as authentication. Free versions of PGP are available at the above site for non-commercial use. If you want to use PGP in your electronic commerce or communications
you should visit www.pgp.com  for information.

There's been a number of articles lately in the newspapers and magazines about encryption and the length of the key used to encrypt the message. Within the United States vendors can use and distribute keys up to 128 bytes long. The longer the key, the more secure the encryption will be. US law limits the keys that vendors can ship outside the US to 32 bytes. Congress is currently considering raising this limit to 50 bytes. Most electronic commerce experts don't believe even 50 bytes is a secure enough key.

PGP works much like a safe deposit box at your bank. There are 2 keys necessary to "open" a PGP-encrypted email message. When you want to send a PGP message to someone you encrypt your message with their "public" key and then send them the message. Since it is encrypted it is secure as it travels over the Internet. Even if someone else intercepts your message (the odds are probably over a million-to-one) they will not be able to decrypt it because it can only be decrypted by the person you're sending that message do with their "private" key. People who want to exchange PGP message register their "public" keys with an Internet site such as BAL's PGP Public Key Server, pgp.ai.mit.edu, and then people who want to email them an encrypted can have their PGP software connect with that server, get their "public" key, encrypt the message, and send it on it's merry, secure, way. A good tutorial on PGP can be found at w3.tyenet.com/pgp/pgp.tutorial.html, the Privacy for the Masses web site.

PGP not only provides a secure way to communicate over the Internet, it also provides a way to authenticate a message. Using a "public" key that has been authenticated allows you to get a copy of their key that has been "signed" so you can have a high level of comfort that the person you are dealing with is indeed the person you think they are (and who they say they are). For more information about "signed" key check out the Thawte Digital Certificate web site, www.thawte.com.

We hope you found this brief introduction to secure Internet communications interesting. Please let us know any comments you might have or and topics you'd like to see us cover in future columns. You can email us, ig@internet-guys.com, or fax us, (716) 853-1350 and let us know what's happening on the Internet in WNY or any computing related activities you're involved with.