If you are using Firefox (Netscape), Internet Explorer, or any other browser that knows about certificates, it will complain when you attempt to enter your card details on our secure Web site. You'll see something like this:
This is because certificate-aware browsers require that secure sites be trusted before opening a secure connection. This verification of trust before encrypting data is performed because of a limitation of public-key cryptography. An explanation of public-key encryption is important because it is the fundamental technique from which SSL derives its security.
If you just want to get started, all you need to do is tell your web browser to accept the certificate that is presented. If you are using Internet Explorer, this involves pressing 'Yes' when asked if, because you haven't told your web browser whether to trust 4QD, you want to continue. For Mozilla, the process is very similar: users of Netscape will need to press a few more buttons, but the procedure is in the 'wizard' style and is quite easy to follow.
However, if you're concerned about security, or you place a lot of orders with us online, then you might want to install our root certificate in your web browser, which is the best way of indicating that you trust 4QD. Remember, your web browser is only asking you because you have not yet chosen to trust 4QD, not because you have chosen not to trust us!
Consider a word-processor that password-protects documents; you use the same password to save (encrypt) the document as you do to open it. This is conventional cryptography. Its weakness is that a person who is encrypting the data must know the password and is therefore able to decrypt it too.
That's a pretty severe weakness -- if you want another person to be able to open that document, you've got to give them the password securely, and if you can do that, why are you wasting your time with the encryption anyway?
Public-key cryptography solves this problem. There are two keys, one public, used for encrypting data, and one secret, used for decrypting data.
It is not feasible (almost to the point of being impossible) to derive one key from the other, and so we could spread our public key far and wide to allow people to encrypt things that we were to receive, while secure in the knowledge that only we held the secret key and therefore only we could decrypt anything someone encrypted using our public key.
That's better, but it also has a weakness that isn't immediately obvious -- key substitution. If you get our public key from someone else (for instance, our www site), you cannot be absolutely certain that it is really ours. Just possibly, someone else could have have substituted our key with one of their own. So although you might accept the key as ours, you have no proof of this and the communications would not be 100% secure.
The solution to this problem is to make sure that the public key you are using to encrypt your data is truly mine; in other words you must trust it. You can either make that decision to trust, or you can have a third party make the decision for you.
We think you'd prefer the former option.
So, before you shop here, you need to trust our public key which we'll send to your browser as soon as you enter secure mode at the checkout. The question you must ask yourself, and tell your browser the answer to, is:
Do I trust that www.4qd.co.uk / zope.4qd.co.uk are Web sites of 4QD, Burwell, Cambridgeshire, and that the public key of zope.4qd.co.uk is genuinely 4QD's?
If you don't - then surely you won't trust our products either!
There are certain companies and organisations that act as 'trust providers'; examples include VeriSign and Thawte. Your browser already knows about these organisations and automatically 'trusts' any sites that have purchased certificates issued by them.
The purpose of certification of a secure Web site is to positively verify certain key details - e.g. the name of the company you're about to give your credit card details to, their location, and suchlike.
However, VeriSign and Thawte appear to be slightly less than scrupulous about verification of identity. For around $150 or UKP 100, anyone can be in possession of a certificate for a 'secure' Web site, and all of the certificate-aware browsers will automatically 'trust' that web site as a result. However these 'authorities' appear to do no more than collect money: they give neither you nor us any guarantees about the transaction! They certanly give you no guarantees about the trustworthiness of the company taking your money!
We would prefer for you to make the decision as to whether you trust us with your details yourself. This is why we have signed our own certificates; the certificate for the Web site is signed with our root certificate.
If you import our root certificate into your browser after examining it, you are indicating your trust and this will enable your browser to use our secure shopping cart.
If you want to go ahead and import the certificate, you will find some instructions on how to do this if you are using Internet Explorer; we have no particular love of Microsoft, but in view of the fact that at least 80% of people browsing our Web site are likely to be using IE it seemed that the tutorial should cover that particular browser. The steps for Netscape and Opera are in fact very similar, but if you have difficulty, please contact us and we will do our best to assist you.
Similarly, if you feel uncomfortable about importing the certificate because you do not feel that you can trust its authenticity, we will continue to accept orders by e-mail for the foreseeable future.
Before you start, please note that:
Users of Internet Explorer 3 must upgrade their browsers; this may also apply to Netscape 2. The reason for this is that IE v3 will not allow you to import our root certificate: all the certificates IE is aware of were supplied with it and it is not possible to import any more! This also means that many Verisign/Thawte sites are now no longer accessible, since root certificates tend to be re-issued every two years or so, and those present in IE v3 have now expired.
Users of 'export' browsers: you will be restricted to 40-bit SSL, which offers very poor security. At present you will be able to use our Web site if you import our root certificate, but it is likely that we will deny access to all users using 'export' browsers shortly.
These restrictions arose as a result of munitions controls; until fairly recently strong cryptography could not be exported from the US except to Canada; US-originated strong cryptographic products imported into Canada could not then be re-exported.
These export restrictions were recently relaxed; users of MSIE v5 and many versions of Netscape (v3 and above) may upgrade their browsers easily.
Users of Netscape should visit http://www.fortify.net/ to upgrade to 'domestic' (128-bit) cryptography.
Users of IE: http://www.microsoft.com/windows/ie/default.htm.
First download the root certificate. If prompted, you want to open it, not save it.
A window will appear showing the certificate. It will look exactly like the image below.
You can click the 'Details' tab to further inspect it.
When you want to import it, click 'Install Certificate'. You'll then be presented with the 'import wizard', which looks like this:
Click 'Next', and you'll be asked to select a place to store the imported certificate.
You should use the store that Windows suggests; make sure that the 'Automatically select' option is chosen, and press Next. You'll then be asked to confirm your choice of certificate store:
Press 'Finish' to finalise the import of the certificate. You'll be asked to confirm that you want to trust the certificate:
You should press 'Yes', and you will then see a message box indicating that the root certificate was successfully imported:
When using the Web site, you won't actually establish an SSL-secured session until you come to check out and to enter your credit card details: this is because SSL is computationally intensive, and there is no real need to protect your order contents, only the actual payment details.
When you click OK on the first checkout page shown below, you will switch to SSL mode.
You will notice that the 'http' in the current address bar has changed to 'https', and, more importantly, there is a padlock or some other symbol of security.
Hovering your mouse pointer over this icon/symbol may indicate the key size that your browser is using as a tool-tip.
As explained above, 40-bit keys do not offer an appropriate degree of security. You should upgrade your browser and check after the upgrade that your key size is 128 bits; if you continue to only negotiate 40-bit SSL secured connections you should contact us for help. Netscape will display the key size in use if you click on the padlock and then choose 'View page information'.
When you check out using 128-bit cryptography your card details are highly secure; however, we must see them at some point to process your order, and so they are then e-mailed to us in encrypted form.
We use GnuPG to encrypt the payment details just before sending the e-mail: GnuPG provides highly-secure e-mail using techniques very similar to SSL; we are happy to provide full details on request, but you may find some answers to any questions you might have on http://www.gnupg.org/.
Once you've installed the root certificate, the site's certificate will automatically be trusted, because it's signed by the root certificate (which you now trust). So if you were to inspect the site's certificate, by double-clicking the padlock icon, you would see this:
As you can see, it's trusted because the root certificate is trusted:
We're also happy to accept PGP- and GnuPG-encrypted orders directly by e-mail, and if you contact us we will supply the appropriate public key.