Gerald R. Clough
Comparing and Contrasting SSL and SET
Since a discussion of these two internet based ecommerce security features is somewhat technical in its nature, I found that the presentation of expert views on each technology's strong points would be preferable to an exercise in trying to change their words around in order to “write” a paper. It is my hope that I can analyze some issues and lead the reader through a brief but informative comparison between two of the major electronic payment alternatives used in e.commerce today. Another part of the discussion is which of the two systems has the most potential to be the system of “tomorrow.”
Definition: SSL (Secure Sockets Layer) security technology helps to improve the safety of Internet communications. SSL is a standard for encrypted client/server communication between network devices. A network protocol, SSL runs on top of TCP/IP (Transmission Control Protocol/Internet Protocol: facilitates connectivity at diverse environments See: Bidgoli, p.292). Web sites commonly use SSL to guard private information such as credit card numbers. See: http://compnetworking.about.com/library/glossary/bldef-ssl.htm
According to Bidgoli: “All the major web server vendors, including Microsoft and Netscape support SSL.” (At page 208.)
Secure Socket Layer (SSL) (developed by Netscape Communications Company) is a standard that encrypts data between a Web browser and a Web server. See: http://www.setco.org/glossary.htm
Bidgoli writes that the SSL protocol provides us with a “relatively secure method to encrypt data.” (Page 208). How secure is SSL? An About.Com website discussing some security points in relation to SSL:
“ … SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions - trillions of times stronger than 40-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers. See: http://compnetworking.about.com/gi/dynamic/offsite.htm?site=http%3A%2F%2Fhome.netscape.com%2Fsecurity%2Ftechbriefs%2Fssl.html
SSL is built into all major browsers and web servers; therefore simply installing a digital certificate turns on their SSL capabilities. This of course makes SSL easier for a business to use at the outset. These are the sorts of market advantages that perhaps develop when a protocol like SSL has been invented by and has the support of the major computer players like Microsoft and Netscape rather than “conventional” credit extending companies such as Visa and MasterCard.
The SET (Secure Electronic Transaction) protocol is an open industry standard developed for the secure transmission of payment information over the Internet and other electronic networks. SET has the strong support of two major league credit card companies: Visa and MasterCard (See: Bidgoli at 212). It is apparent that SET is the more secure protocol but with this added security is added complexity and cost. After examining diagrams that illustrate the nature of the transactions, one can see that SET possesses a rather intricate nature that double checks the transaction at least three times. This is in addition to the initial safeguard protection: the issuance of a “certificate” that enables a party to place orders in a highly secure and if needed, anonymous environment. This business enabling certificate has been described by one website as a:
A special kind of digitally signed data structure that contains information about a public key and the owner of the public key. In SET, a certificate is a public key that has been digitally signed by a trusted authority (usually the cardholder's financial institution) to identify the user of the public key. SET defines the following certificate types: signature, key encipherment, certificate signature, and CRL signature. See: http://www.setco.org/glossary.html
The process of certification has been described by the same website as:
The process of ascertaining that a set of requirements or criteria has been fulfilled and attesting to that fact to others, usually with some written instrument. A system that has been inspected and evaluated as fully compliant with the SET protocol by duly authorized parties and process would be said to have been certified compliant. See: http://www.setco.org/glossary.html
In the end what we have is a comparison between an old standby that performs adequately, is relatively easy to use and is widely accepted (SSL) and a possibly up and coming protocol that offers more protections for sure but at what cost (SET). I have no personal knowledge of either system but my hunch is that the system of the future is probably the SET protocol. I believe the major reasons for the marketplace's eventual decision to go with SET will be the faster settlement times (see the early money transfer in Bidgoli's diagram on page 211) and earlier, stronger assurances regarding order integrity. SET will become the industry standard because of SET's back and forth, double check security measures and the fact that SET transfers money early in the transaction process.