 |
Security Policy
Our web site is protected using a Server ID or "digital
certificate". The electronic equivalent of a business license, they are
issued by a Certification Authority (CA) - in our case: Thawte.
This trusted third party is set up to (in effect) vouch for our identity.
Before issuing our certificate, Thawte reviewed our credentials
to ensure the organisation is who we claim to be. Thawte then issued our organisation
with a Server ID or digital certificate, which is an electronic credential that
we can then present to our web site visitors to prove our identity or right
to access information.
How Digital Certificates Work
In physical transactions, identification, authenticity and privacy are ensured with physical marks, such as seals or signatures. In electronic transactions, the "seal" must be coded into the information, itself. If the "seal" is present and has not been broken, the recipient knows who sent the message and that it was not altered in transit. To create this "seal", Thawte uses advanced cryptography.
Single key cryptography is the way that most secret messages have been sent over the centuries. A unique code (or key) is used for both encrypting and decrypting messages.
It works something like this. Suppose Bob has one secret key. If Alice wants to send Bob a secret message:
Bob sends Alice a copy of his secret key
Alice encrypts a message with Bob's secret key
Bob decrypts the message with his secret key.
This method has several problems:
-
Bob must find a secure method of getting his secret key to Alice. If the key is intercepted, all of Bob's communications are compromised.
Bob needs to trust Alice. If Alice is a double agent, she
may give Bob's secret key to his enemies. Or, she may read Bob's other private messages or even imitate Bob.
If you have an organisation with people who need to exchange secret messages, you will either need to have thousands (if not millions) of secret keys, or you will need to rely on a smaller number of keys, which opens the door to compromise.
Thawte Secure Server ID technology uses the more advanced public-key cryptography - a matched pair of keys that uniquely complement each another. When a message is encrypted by one key, only the other key can decrypt it.
Of this key pair, we store the "private key" on our server - nobody else has access to it.
You will receive a matching "public key". When you want to communicate with us privately, encrypt it first. Only we can decrypt the information with our private key, and vice versa.
The Thawte Secure Server ID technology establishes a secure channel between our server and your browser. You can communicate securely using Netscape Navigator, Microsoft Internet Explorer, or most popular e-mail programs.
This ensures:
- Authentication- You can check our Thawte Secure Server ID, to verify
that the web site belongs to us, and not an impostor.
- Message privacy - Each time you enter secure information, our server
will provide you with a session key. You can decode this with your
public key. Each session key is used only once, during a single session
with a single customer. These layers of protection make sure that information
cannot be viewed if it is intercepted by unauthorised parties.
- Message integrity- When a message is sent, the sending and receiving
computers each generate a code based on the message content. If even a single
character in the message content is altered, the receiving computer will generate
a different code, and then alert the recipient that the message is not legitimate.
With message integrity, both parties involved in the transaction know that
what they're seeing is exactly what the other party sent.
All information courtesy of Verisign
|
