Scribd Logo
Upload

Welcome to Scribd!

  • E-Commerce Security Best Practices

    Uploaded by

    Ness Wadia College of Coomerce Pune
    9 views19 pages
    The document discusses several topics related to e-commerce security and encryption. It begins by listing some security cautions for e-commerce sites, including using strong passwords, educating staff, keeping software updated, and using HTTPS. It then defines public key infrastructure and describes its components like public/private keys, digital certificates, and registration authorities. It also defines firewall types like packet filtering and application-level gateways. Finally, it covers SSL/TLS, describing how it encrypts data in transit and provides advantages like security, authentication, and enabling online payments, as well as disadvantages like performance impacts and costs.

    Original Description:

    Lecture Notes

    Original Title

    EC II Ch 3 5

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses several topics related to e-commerce security and encryption. It begins by listing some security cautions for e-commerce sites, including using strong passwords, educating staff, keeping software updated, and using HTTPS. It then defines public key infrastructure and describes its components like public/private keys, digital certificates, and registration authorities. It also defines firewall types like packet filtering and application-level gateways. Finally, it covers SSL/TLS, describing how it encrypts data in transit and provides advantages like security, authentication, and enabling online payments, as well as disadvantages like performance impacts and costs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views19 pages

    E-Commerce Security Best Practices

    Uploaded by

    Ness Wadia College of Coomerce Pune
    The document discusses several topics related to e-commerce security and encryption. It begins by listing some security cautions for e-commerce sites, including using strong passwords, educating staff, keeping software updated, and using HTTPS. It then defines public key infrastructure and describes its components like public/private keys, digital certificates, and registration authorities. It also defines firewall types like packet filtering and application-level gateways. Finally, it covers SSL/TLS, describing how it encrypts data in transit and provides advantages like security, authentication, and enabling online payments, as well as disadvantages like performance impacts and costs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    E-Commerce Security

    Dr. Ramdas Sonawane


    Head,
    Department of Statistics & Computer Applications,
    Ness Wadia College of Commerce, Pune
    Security cautions in E-Commerce
     Enforce strong passwords
     Educate customer service staff
     Use the latest version of E-Commerce platform
     Use HTTPs hosting
     Always up to date
     Site analytics
    Public key

     A public key is created in public key encryption cryptography that uses


    asymmetric-key encryption algorithms.
     Public keys are used to convert a message into an unreadable format.
     Decryption is carried out using a different, but matching, private key.
     Public and private keys are paired to enable secure communication.
    Public key infrastructure
    Public key infrastructure

     A public key infrastructure (PKI) is a set of roles, policies, hardware, software


    and procedures needed to create, manage, distribute, use, store and revoke digital
    certificates and manage public-key encryption.
     The purpose of a PKI is to facilitate the secure electronic transfer of information for
    a range of network activities such as e-commerce, internet banking and confidential
    email. It is required for activities where simple passwords are an inadequate
    authentication method and more rigorous proof is required to confirm the identity
    of the parties involved in the communication and to validate the information being
    transferred.
    Public key infrastructure

     In cryptography, a PKI is an arrangement that binds public keys with respective


    identities of entities (like people and organizations). The binding is established
    through a process of registration and issuance of certificates at and by a
    certificate authority (CA). Depending on the assurance level of the binding,
    this may be carried out by an automated process or under human supervision.
    When done over a network, this requires using a secure certificate enrolment or
    certificate management protocol such as CMP.
    Public key infrastructure

     The PKI role that may be delegated by a CA to assure valid and correct registration
    is called a registration authority (RA). Basically, an RA is responsible for
    accepting requests for digital certificates and authenticating the entity making the
    request.
     An entity must be uniquely identifiable within each CA domain on the basis of
    information about that entity. A third-party validation authority (VA) can provide
    this entity information on behalf of the CA.
    Firewall
     Firewalls are systems that are put in place to provide network security. It filters
    any network traffic – both in and out – based on rules defined by the user. They
    reduce and in some cases, eliminate the occurrence of unwanted
    communications in the network, and at the same time, allow any genuine
    communication and information to flow in and out freely.
     Firewalls are essential for any business. They work hard to prevent attackers
    from accessing your servers and data maliciously.
    Types of firewalls
    Packet-Filtering Firewalls
    This is the oldest firewall type out there. They are designed to create
    checkpoints at individual routers or switches. The packet-filtering firewalls
    will check the data packets that try to come through, without inspecting the
    contents. If the information trying to come through looks suspicious, it cannot
    get through the network. This is a simple firewall that does not impact network
    performance too much.
    Types of firewalls
    Circuit-Level Gateways
    Circuit-level gateways are much like packet-filtering firewalls in that they quickly and
    easily check and approve or deny traffic. They do it without being heavy on resources,
    too. Circuit-level gateways work by verifying the transmission control protocol
    handshake. It doesn’t check the packet directly, so there is a risk of malware getting
    through. These are not the best ones to protect your business.
    Types of firewalls

    Application-Level Gateways
    If you want firewalls that operate at the application layer to filter traffic, proxy
    firewalls do the job. These are cloud-based most of the time, and they establish traffic
    connections and examine data packets coming through. The drawback to these is that
    they can create a network slowdown because of all the extra steps – but it’s all in the
    name of the security for your business.
    SSL
     SSL stands for Secure Sockets Layer and, in short, it's the standard technology for
    keeping an internet connection secure and safeguarding any sensitive data that is
    being sent between two systems, preventing criminals from reading and modifying
    any information transferred, including potential personal details. The two systems
    can be a server and a client (for example, a shopping website and browser) or server
    to server (for example, an application with personal identifiable information or with
    payroll information).
     It does this by making sure that any data transferred between users and sites, or
    between two systems remain impossible to read. It uses encryption algorithms to
    scramble data in transit, preventing hackers from reading it as it is sent over the
    connection. This information could be anything sensitive or personal which can
    include credit card numbers and other financial information, names and addresses.
    Advantages of SSL
     Security
    The major goal of SSL certificate is to encrypt information so that it can only be read by
    intended recipients. The information that gets passed through the internet has high chances
    of getting in hands of third parties. Since the SSL certificate encrypts data, random
    characters are inserted into them. Even if intruders be able to acquire this information, they
    will not be able to understand it. Thus, SSL makes it ideal for protecting sensitive
    information such as the User IDs, passwords and credit card numbers.
     Authentication
    As mentioned earlier data travels through multiple parties in internet. Therefore, it has
    greater tendency to get accessed by unintended third parties. SSL ensures that whatever the
    information that is present on your site reach to the correct server. For achieving this SSL
    uses a protection known as the Server certificate. This Server certificate makes sure that the
    SSL certificate provider is trusted by acting as a middle person between the browsers and
    SSL servers.
    Advantages of SSL

     Reliability
    Whenever a SSL certificate is used on a site, it provides verification. Hence, when visitors
    visit a site, it provides a sense of trust that this site is legitimate and not fake. Generally a
    SSL authenticate site will show a green lock on the address bar. This lock mentions that the
    site has taken security measures and reliable enough to make transactions.
     Prevent Phishing
    Occasionally users might receive phishing emails (Often in the form of advertisements and
    shipping affirmations) that directs links to another site. The sole purpose of these sites is to
    gather sensitive information such as the credit card details. However it is nearly impossible
    for these sites to obtain a authentic SSL certificate. When the visitors don't notice a SSL
    certificate, they will probably will not enter any confidential information.
    Advantages of SSL

     Online Payments
    All the payment card industries require sites to have a SSL certificate with at least 128 bit
    encryption to accept payments. Without a proper SSL certificate sites won't be able to
    accept payments from credit cards.
     Software Requirements
    SSL does not require the installation of client softwares. The only thing required is to
    connection to the internet through a standard web browser. Thus, the cost of software
    purchase, maintenance and management can be saved significantly. This can be beneficial
    for both small and large sized organizations.
    Advantages of SSL

     SEO
    Recently Google made announcements that having a SSL certificate is one of the factors to
    boost search engine rankings. The algorithm is made in such a way that sites with a SSL
    certificate will rank higher in Search Engine Result Pages (SERP). Almost all the sites that
    rank higher in Google does posses a SSL certificate.
     Data Integrity
    Without an SSL certificate a website is more vulnerable to Man in the Middle attacks.
    Using a SSL certificate means that the site can be benefited from data integrity. All the data
    that is been stored inside the online servers are well protected from external threats.
    Disadvantages of SSL

     Performance
    When a SSL certificate is used on a site, the speed of transactions will get drastically
    reduced. This happens because of the encryption and decryption of data before it can be
    used. However this performance slowdown will only be noticeable to the websites that has
    large number of visitors.
     Cost
    Purchasing and setting up a SSL certificate can be quite expensive. This is basically due to
    the maintenance involved and the verification process. However some of the hosting
    companies offer free SSL certificates, but it is not normally recommended due to various
    reasons. Depending on the type of certificate the cost can vary (From the level of identity
    verification and how many domains and subdomains the certificate is going to cover).
    Disadvantages of SSL

     Expiry
    Occasionally the SSL certificate needs to be renewed. If it is not renewed time to time,
    there will be popup message stating that the SSL certificate has been expired which means
    that the site is not secure anymore. Hence, the customers can loose trust in conducting
    transactions.
     Caching
    Encrypted content will have a problem of caching, if the proxy caching system that is set
    up on the web browser is complex. To be able to handle this encryption there should be a
    server added that looks after the encryption before it reaches the caching server. Hence, all
    the visitors data are well encrypted when they are making a visit to the site.
    Disadvantages of SSL
     Protocol Complications
    If the SSL certificate isn't implemented properly, the files that should be served through
    HTTPS will be served via HTTP. Hence, there will be a warning message displayed to the
    visitors stating that their data is not protected.
     Application Support
    In its initial stages, SSL was only meant to support web based applications. Anything other
    than that requires purchasing of modules from application vendors. Additionally the setup
    process here isn't easy, it also requires changes in the in-house software.

    You might also like