How do we protect your information?
At Better Home Security.com, the security of your personal information is paramount. All transactions are completed using a 128 bit SSL encryption to protect your information from your browser to our server. This is the industry standard used by merchants worldwide. After your SSL encrypted information reaches our secure server, it is immediately re-encrypted using a 1024 bit GPG(GnuPG) key. Your credit card information is never stored on our server, and can only be decrypted by us, with our private key. If you would like more detailed information about SSL and GPG encryption, please read on.
What is SSL?
Short for Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. In order to establish an SSL connection, the SSL protocol requires that a server have a digital certificate installed. A digital certificate is an electronic file that uniquely identifies individuals and servers. Digital certificates allow the client (Web browser) to authenticate the server prior to establishing the SSL session. Typically, digital certificates are signed by an independent and trusted third party to ensure their validity. Our certificate is provided by our host, iPowerWeb, and is issued by Equifax.
Which pages are protected, and how can I tell?
All of our checkout pages and any page on our site that asks for personal information from our customers is protected by SSL encryption. You can verify this by going to our checkout page and looking for the following traits that characterize all pages secured with an SSL certificate:
- The URL of the secure web-pages change from http://... to https://
- A lock symbol appears in the lower left-hand (right hand) status bar in Netscape Navigator (Internet Explorer).
If you would like to view and verify the encryption information of the secure pages...
- In Netscape - click on the lock symbol above and select "View Certificate" button
- In Internet Explorer - double-click on the lock in the lower right-hand status bar.
How safe is the encrypted information?
In theory, one can break any encryption algorithm by exhausting every possible key in a sequence. This brute force method requires vast amounts of computing power as the length of the key increases. For example a 32-bit key takes 2^32 (4294967296) steps. A system with 40 bit keys (e.g. US-exportable version of RC4) takes 2^40 steps - this kind of computing power is available in most universities and even small companies.
As key lengths increase, the number of combinations that must be tried for a brute force attack increase exponentially. For example our 128-bit key would have 2^128 (340,282,366,920,938,368,736,424,720,624,720,032,456) total possible combinations. To theoretically crack the 128-bit IDEA key using brute force one would have to:
- develop a CPU that can test 1 billion IDEA keys per second
- build a parallel machine that consists of one million of these processors
- mass produce them to an extent that everyone can own one hundred of these machines
- network them all together and start working through the 128 bit key space
Assuming ideal performance and no downtime, one should be able to exhaustively search the key-space in over 20,000 years. A common concern amongst many is deciding what key length is secure. There is a metronome for technological progress called Moore's Law which states that; "the number of components that can be packed on a computer chip doubles every 18 months while the price stays the same" . Essentially, this means that computing power per dollar doubles every eighteen months. Using a derivative of this above law one can also say that, if a key length of x is considered safe today, in 18 months the key length would have to be x+1 to keep up to par with the computing power. Recent studies performed by independent scientists have shown that key lengths should be no less than 90-bits long to ensure complete security for the next 20 years.
What is GPG?
GPG or GnuPG is a RFC2440 (OpenPGP) compliant application that uses public and private keys to encrypt/decrypt sensitive information. We use 1024 bit keys. Here is an example of what credit card information looks like when we receive it:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.7 (GNU/Linux) hQEOA8jNmzDOB50bEAQAkNU/FA4S6K9dmB4p/RHqDEfI3fehzn+KTTkFVxV2YPUt M1XPYroSVCmv6C21Lx6cA8WHb//UuSLQJKaAc+mKdKnsR7XUOHuWkiN50cPSjR6b TFStb3ILeY6NaMgp6KBI538NEDDb1gsyxn0ciQa5/7MONooDbKdX+Xd16LYBdyAi /RSTOMUcnlXVz3mw88TuArh10fhNJUhsTDopj2sdjyjaPe3tqKUU6BII91YPTTBS RanwFXTtlK/pu8+zWxUuytLi0mBqkg16OzGd38bSK9jXwLQWekTlUhGqiK0GuUwV XNjevJCnYK8zrgY+bQJTstGDu6yQ+t3OTyurzqpwmTCPT0n4BN0n2rKuL/mSN2u0 mx4Z1gLUMdgE6Nahe4dG5nXOGZ8WPigvsX8LdmAq+mE//InWcYvFfm6jeyVTYlS6 5UIv+p83V7OThQKNsaxV+Z7RRwohyK2pSttJ3eziHvzlwI5De6acQBJpfohUxDJA KuA2foLZb0E9FHvj4kg4ZSc= =yYIn -----END PGP MESSAGE-----
This encrypted information can only be decrypted with our private key. The private key is kept offline, and is password protected. There is only one person at our company that uses the key to process our orders, and that individual does not have access to the key itself, so security is not compromised. We periodically change our keys as an added precaution.