FAQ: Security

Please select from one of the following:

1. What are secure pages?
2. What is HTTPS and SSL?
3. What do the different bits mean?
4. How to activate secure pages?
5. How can I tell that secure pages are being used?
6. Why not force secure connections?
7. I get a "Certificate has expired" message. What do I do?
8. Who provides ECSI's certificate?
9. Can I independently verify ECSI's certificate?
10. How safe is the information on ECSI's site?
11. How safe is sending electronic mail?
12. Is all this security necessary?
13. Additional Information

1. What are secure pages?

   Secure pages provide a mechanism to encrypt the communications between your browser and our web server. This makes it very difficult for someone to intercept and read your communications.

2. What is HTTPS and SSL?

   HTTP is the communications protocol that a browser and a web server use to exchange information. HTTPS is the secure version of that protocol using Secure Sockets Layer (SSL). The details are less important than knowing that if you see HTTPS in the web address, you are requesting a secure connection. Just because you request a secure connection, one does not have to be provided by the web server. You should read How can I tell that secure pages are being used? to ensure that the connection is secure.

3. What do the different bits mean?

   In brief, the higher the number of bits the more secure the connection. Each additional bit makes it exponentially harder to decipher your communications. 40-bits is generally the lowest level of encryption supported by modern browsers. 40-bits has been proven to be too insecure for financial transaction as it can be quickly decoded. 128-bits is the highest level of encryption supported by modern browsers. 128-bits is so time consuming to break that it is considered safe for financial transaction. Recently, U.S. Export Laws have changed and there is a new 56-bit encryption available to some users. While substantially safer than 40-bits, it is by no means as secure as 128-bits. We encourage you, if at all possible, to upgrade your browser to support 128-bit encryption.

4. How to activate secure pages?

   The site's Table of Contents (the frame on the left) offers the borrower two choices for entering the borrower section of our web site. Selecting Secure will active secure access to all pages in the borrower site. Everything, including documents, will be encrypted for transmission. A second method is available at the bottom of the Table of Contents. There are two lock symbols, one open and one closed. The open one implies an unsecured connection. The closed one will activate security for the entire site -- all frames and all documents. None of this discussion applies to pages outside the ECSI site (e.g., Department of Education or other external links).

5. How can I tell that secure pages are being used?

   Most browsers display a symbol to denote pages are viewed over a secure connection. Internet Explorer and Netscape display a lock in the bottom of the browser window (frame). You can verify that a page is secure by double-clicking on the lock icon. It will display the certificate information for the page you are viewing. You can also verify that a page is secure by right-clicking on the page and selecting Properties which will show the strength of the connection (40-bits, 56-bits or 128-bits). Finally, you can verify your browser's security level independently at the Fortify Project Website

6. Why not force secure connections?

   Many people do not have the latest browser or equipment. To download a new browser may require several hours connected to the Internet and a lot of disk space which they may not have available. If at all possible, we encourage all users to access our borrower section using a high-security (128-bit) version of their browser. For those who cannot, we offer the unsecured version of the borrower section.

7. I get a "Certificate has expired" message. What do I do?

   ECSI's certificate is renewed every February. There is a known issue with older browsers.

8. Who provides ECSI's certificate?

   ECSI has an Equifax Secure Global eBusiness CA-1 security certificate from Equifax Secure Inc.

9. Can I independently verify ECSI's certificate?

   Almost all modern browsers have the ability to display the details of a web site's security certificate without going to the certificate issuer's website. For example, in Microsoft Internet Explorer 6, the browser displays an icon of a padlock in the status bar of the browser window when you visit a secure web site. By double-clicking on the padlock icon, IE6 will display the details of the web site's security certificate. In Firefox 1.5, the same information is accessible by double-clicking on the padlock icon in the status bar of the browser window (the icon is also displayed at the end of the address bar), then clicking on the the "View" button in the window that appears.

10. How safe is the information on ECSI's site?

    Our technical staff has taken every possible precaution to ensure the data that ECSI retains is as secure as possible. Our production systems and data are stored on equipment completely isolated from the Internet. No banking or payment information is ever stored in a human-readable form on our web servers to minimize our exposure to "hacker attacks" Using every facility of our web server's software and operating system, we attempt to use every means available to prevent the unauthorized access to information. Should our security measures be breached, the data that is contained on our web servers is encrypted with military-grade encryption (448-bits) making it nearly impossible to decipher. ECSI routinely performs internal security audits and periodically invites an outside vendor to audit our data processing facilitates.

11. How safe is electronic mail?

    Electronic mail (Email) is generally not a secure technology. Because of the design of the Internet, Email messages may travel on several different paths to get to its destination. While that makes it a challenge to intercept a particular communication, it also leaves several points where someone could read a message. ECSI has taken every precaution to prevent unauthorized access to our electronic mail server but cannot ensure the privacy of communications outside our facilities. We recommend that you use one of the web facilities that we provide to ensure the highest level of security.

12. Is all this security necessary?

    ECSI is wants to provide our clients and their borrowers an environment in which they feel safe and comfortable when interacting with us electronically. We are strongly committed to maintaining the privacy of our visitors, as demonstrated in our Borrower Privacy Statement. Finally, part of our mission statement is "...to responsibly provide the finest service with the best technology possible." This goal obligates us to take every precaution possible to safeguard your data.

13. Additional Resources
    • Netscape has published a very good explanation of SSL at https://home.netscape.com/security/techbriefs/ssl.html.
    • Microsoft offers their own security site at https://www.microsoft.com/security/new.asp
    • Most browser vendors publish a list of security problems and fixes which enable you to prevent security leaks before you get caught. See: Netscape, Microsoft. If your vendor is not listed, please consult their site.