How to hide your secrets

Question: I want to register a shareware program online, using a secure website. Is it really secure to send credit card information? How does one know it is secure? –S.H.

Answer: The secret to Internet shopping security lies at the bottom of an Internet browser. There’s a little icon there that indicates the security status of the web page being browsed.

On Netscape Navigator and Internet Explorer, you’ll see a padlock. If it’s in the locked position the page is secure. (On early versions, you might see a full key (secure) or broken key which meant a site was not secure.)

Before you plow ahead, though, it’s important to understand what “secure” means online. That requires a brief visit into the geek zone. So propellers on, please.

When a web browser connects to a web server, where web sites are stored, text is sent back and forth across the public Internet for everyone to see — if anyone happens to be looking. It’s about as secure as sending a postcard to your Aunt Millie. Anyone who sees it as it travels between Jamaica and Hinton, Alberta, knows instantly that you’re having a fabulous time and that you’re sunburned. That’s fine, but it’s not so great, if the card includes information about where your house key is hidden so Aunt Millie can water your plants.

One way to keep information secret is to use encryption to hide the message. In the Internet world you’d encrypt (or scramble) the message using a Netscape invention called SSL or Secure Sockets Layer. That’s a protocol which is built into web browsers and is used to get information unmolested across the Internet. Web pages that require an SSL connection start with https:// instead of http:// so there’s another clue that you have a secure connection. SSL protects your personal data by using electronic keys, one used by the sender and the other by the recipient of the data.

Let’s look at it in real-world terms. Bob has a secret he wants to send to Alice. He puts it in a strong box, locks it with a key, and sends it to Alice. When she receives it she uses a copy of the key to unlock it and get the secret out. That’s a simplifed example of what’s called “symmetrical encryption”.

In Internet terms, any data can be encrypted by running it through a mathematical process which is controlled by a key which is an electronic number. In symmetrical encryption, the same key number is used to encrypt (or lock) and decrypt (or unlock) the data at either end of the transaction. If the key number is any number from 0 to 9, it takes 10 guesses to figure out which one was used. If it’s any number between 0 and 999,999,999, it takes a little longer. And that’s the essence of encryption.

With a strong key, the only way to decrypt the ciphertext without the key is by trying all possible keys. This can take a long time. And the longer and more costly it takes to hack a code, the less likely a bad guy will bother. There’s a problem with symmetrical encyrption, though: How does the sender tell the recipient which number to use to unlock it, without exposing the number to being discovered by a third party? One method is by using public key encryption.

In public key encryption, there are two keys that are created using a similar mathematical process. One is a public key, which can freely be given to anyone who asks. The other is a private key kept secret by the recipient. The public key is used to “lock the “box”. The private key is used to “unlock the box”.

Conversely, a secret locked with the private key can only be unlocked with the public key. This is useful because if Bob locks with his private key, when Alice opens the secret with the public key she knows it must have been from Bob because only he has the private key. SSL uses both symmetrical and asymmetrical encryption together, as well as a variety of other technologies, to exchange data between two parties securely.

The latest browsers use either a 40-bit or 128-bit symmetrical key. Banks require the 128-bit version for online transactions. If you use a browser that supports 40-bit technology and the server at the other end isn’t happy with that level of security, it will refuse the transaction. If a 128-bit key is used for symmetrical encryption, it gives approximately 340,282,266,900,000,000,000,000,000,000,000,000,000 possible keys with which to encrypt the data. Now that’s a huge number!

So is it perfectly safe to send your credit card over the Internet? Sorry, but no. Even with numbers like the big one above, there’s always a risk. The data may safely travel to the vendor’s server, which could then get hacked. Netscape’s own 128-bit technology was hacked by researchers in a shorter time than expected. It was a result of human error. The original implementation was only capable of producing a tiny part of the possible key range. It’s since been fixed.

The interesting angle on all this security business is that we wonder about Internet credit card security, yet we’re quite happy to call up the local pizza joint and give out our credit card number over the phone, or worse, over an unsecure cordless phone.

So the decision is yours to make. I think the Internet is safe enough, so I use my credit cards across the Internet. I even bought a laptop that way recently.

For those who want more information, look at Webopedia’s great definition and links list.