Blog

From SSL to PKI: dejargoning digital security

Jun 28, 2021, 08:38 AM by Riaan De Villiers
In today's blog post, we will explain some SSL / TLS and other digital security concepts.

From SSL to PKI: dejargoning digital security

by Katekani Hlabathi

SSLto PKI - dejargoning digital security.

The technology behind digital security has been developing as fast as any tech out there. It's just that most users don't understand how it works.

Technology has been a boon for humankind. The quality of life, business, healthcare and networking has improved, thanks to tech efficiencies. But it has also brought anxieties about security. How do people and industries that rely on the five senses (touch, smell, taste, sight and sound) secure something that is in the ether? Considering that most users are interested in keeping their data private and secure, the article will focus on the terms they may come across.

Encryption takes data and scrambles it into an unreadable format or ciphertext. Encryption protects confidential data stored in a system and when it is transferred. A user will have to decrypt it into a readable format using an encryption key to access the data.

An encryption key is a bunch of algorithms that can scramble and unscramble data into a readable format. There are two types of encryption systems, symmetric and asymmetric. Symmetric encryption only uses one encryption key to scramble and unscramble data. In contrast, asymmetric encryption uses a public key (available to all users) to encrypt the data and a private key (shared with only one user) to decrypt it.

Encryption is a tactic that civilisations have used to hide information for millennia. Although the concept is not new, the digital security techniques are very advanced. If you encrypt your data, only users with a key can read it; others will only see scrambled letters and numbers that make no sense.

Encryption is a fundamental practice in digital security. You must encrypt all data to keep it safe. Whether you store it on servers, the cloud, or it is in transition, regulators around the world insist that data be encrypted. 

Digital security is vital for industries that handle personal data, particularly finance and health care. Encryption is just the latest effort in keeping sensitive data safe. Although finance and healthcare industry players may face more onerous regulations, new laws such as POPI and GDPR require all businesses that collect data or connect to the internet keep data secure.

Secure Sockets Layer (SSL) is a protocol used to establish authenticated and encrypted links between networked computers by encrypting data in transit. It keeps an internet connection between two systems secure, and it protects the sensitive data sent between the two systems. In addition, it prevents bad actors from reading or modifying the data. The two systems can be server and client (like when a shopping website talks to your browser) or server to server.

Transport Layer Security (TLS) is the protocol that succeeds SSL. It performs better and is more secure. Most SSL certificates sold today use the TLS protocol even though they have SSL in the name.

HyperText Transfer Protocol Secure (HTTPS): HTTP (Hypertext Transfer Protocol) are the rules the internet uses to transfer files like text, images, sound, video and other multimedia files. When those rules are layered on top of the SSL or TLS protocol, it becomes Hyper Text Transfer Protocol Secure (HTTPS). Websites that use HTTPS have a green lock on the URL bar to indicate that they are safe and secure.

One of the biggest fears for internet users is exchanging data with an entity that isn't who they say they are. So naturally, most people would rather walk into a bank's physical location than use its online services. That is because creating an online profile and exchanging transaction information over the internet with an insurance or healthcare provider can have personal risks. Not to mention the liability that any institution will face if its data is compromised.

That's where SSL certificates come in. They assure the user that the website is who they are. It also protects the information that is exchanged between the user and the website. SSL certificates can also be used within the organisation to communicate between staff members or third-party business partners.

SSL certificates were standard for highly data-sensitive industries but are now a requirement for all online businesses because:

  • No consumer wants to interact with an unsafe website
  • Companies that don't take security seriously will be seen as a risk by other companies and
  • Regulators don't accept excuses for lax data security.

Certificate Authority or Certification Authority (CA) is the entity that issues digital certificates, like Lawtrust.

Root Certificate is a digital certificate that belongs to the issuing Certificate Authority. Most browsers have these pre-installed in a "trust store". However, globally there are only a handful in the market. 

Intermediate Certificates are the link between root certificates and the server certificates given to the public. There will always be one or more intermediary certificates in a certificate chain.

Server Certificate is issued to the specific domain the user wants to cover. This is the one you would get for your website or website.

Chain Certificate or Chain of Trust is a string of related certificates starting from a server's certificate and ending with the root certificate. It links the SSL certificate you hold through intermediaries to a trusted certificate authority. A certificate's traceability is how it gains trust.

Public Key Infrastructure (PKI): is the framework that manages public-key encryption, certification, policies and distribution. With all the encryption and certification going on, computers need a public repository and framework to make sense of it all; that's what the PKI is.

Banks and financial institutions ( retail banks, corporate banks, credit unions, credit banks, securities traders, insurance providers, trust companies and asset managers) are obligated to use an Extended Validation SSL Certificate. It is an effective tool to minimise phishing scams and online fraud. Only approved CAs can issue EV SSL certificates, such as LAWtrust. Verification for an EV SSL is a vigorous and globally standardised process to prove exclusive rights to a domain along with legal, physical and operational existence. 

Healthcare providers similarly need to use an EV SSL certificate. The doctor-patient relationship is one of trust; patients are at their most vulnerable and share private information. There are regulations that protect personal health information, and healthcare websites must defend it. For example, the contact form usually has a field listing the reason for an appointment, symptoms and concerns of a potential illness.