Encryption is the process of performing a computational transformation on data so that only privileged people may access it. Encryption is vital to safely transfer privileged information like credit card numbers across the Internet.
Public Key Encryption can be likened to a padlock. Alice provides Bob with a padlock to which only Alice has the key. When Bob wants to send data to Alice, he puts data into a sealed box and clicks the padlock shut. Nobody can unlock the box except Alice, not even Bob! When Alice wants to send data back to Bob, she must use the padlock which Bob has provided.
In fact the key and the padlock in our analogy are equivalent and are both called keys. The padlock is the public key and the key corresponds to a private key.
In fact, a side effect of the encryption scheme is that if Alice encrypts something with her private key, anybody can decrypt it with the public key and this proves that Alice wrote it. This is called signing and is also useful.
An equally important part of the encryption puzzle is authentication. Authentication is necessary to guarantee that the public key belongs to Alice. If authentication were not taken seriously, Mallory could pretend to be Alice and the encryption would be worthless as Bob might unknowingly send him the data anyway.
SSL is an encryption protocol which provides an encrypted link between two computers. HTTPS (HTTP over SSL) is a way of securing a web browsing session so that information passed between the server and the person viewing the page is kept private. This is important for passing order information like credit card numbers to e-commerce sites. Note that this does not make any guarantees about what happens to this data when it is received by the other party. Authentication for SSL is provided by server certificates. A Certification Authority must certify that the server is who it says it is. We will obtain a certificate for you as part of our development service, but additional charges will apply.
Email can also be encrypted, although the software to do so is not ubiquitous. To decrypt email on your PC, you can purchase and download a copy of PGP Desktop. The cost is around £35. Some free options are available - notably you can use the Enigmail plugin for the Mozilla Thunderbird email client. Note that if you fail to keep a copy of your private key and the original is lost, any email encrypted to that key will be totally inaccessible and there is nothing that can be done to retrieve it.
In certain situations, our software must be signed. This is so that users know who wrote it. Code signing is required when we wish to provide code which will run on visitors' computers. This reduces the incidence of malicious software being run on visitors' computers, because if someone were to write malicious code, people would know who wrote it and would be able to take legal action, etc.
Code signing requires a code-signing certificate from a Certification Authority. We can use our own certificate for this purpose, but a few cautious visitors may opt not to accept code signed by us, as it is not our site they are visiting! It is at your discretion whether we will obtain a certificate for you should this situation arise.
Our software encrypts the credit card information with public key encryption if it is stored on our server. You decrypt it whenever you access it by providing your passphrase. This is to protect the information should hackers breach the security of our server. The same caveats apply as with email encryption: should you lose the passphrase, the credit card information will be rendered inaccessible. However we keep certain contact details of those placing orders unencrypted, so it will be possible for you to reconstruct the data.
