SSL
Quick Help Guide:
What
is SSL?
SSL
is an extension for Internet protocols that allows
to open a secure channel between two computers.
Most often you would here about HTTPS - Web extensions
based on SSL. When web site uses SSL Extensions
for Security Transactions between your web browser
and a web server, information passed to and from
the server is encrypted. This prevents criminals
from snooping on your web session, thus making
sure important information (like credit card numbers)
does not get into the wrong hands. This is, of
course, very important for online sales and bank
transactions, and even so referring site may also
offer choice of using non-SSL, unsecured forms,
your should upgrading your web browser (AOL users
- download Netscape!) or downloading latest version
of Microsoft
Explorer or Netscape
Navigator.
What is the difference
between 40bit and 128bit browsers?
In
short, 128bit version is more secure, in fact,
it is unbreakable by current computers (it would
take thousands of years to break 128bit encrypted
message even if all computers in the world work
together). However since SSL technology in general
and both Microsoft Explorer and Netscape Navigator
were developed in the USA, by current U.S. laws,
products using advanced encryption technology
(higher than 40bit encryption key) can not be
exported outside the United States (except to
Canada). Browsers with 40bit SSL support, while
a little faster on decryption/encryption have
a problem since 40bit encrypted messages can be
broken. Thus if you are a citizen or permanent
resident of the United States or a citizen of
Canada, you should obtain more secure 128bit version
of your browser.
Note:
If you are using Windows NT Workstations or Server
4.0, you should contact Microsoft to obtain 128bit
version of ServicePack3, this is because Windows
NT has built in security subsystem, which browsers
use instead of built-in functions.
How to setup SSL for your
Web Site?
|
If you own or administer a web server, SSL
setup will depend on what web server software
and operating you are using, most major web
servers, such as Apache, Netscape FastTrack
Server or Microsoft Information Server either
already come SSL ready or have SSL extensions.
Enabling SSL is different for each server,
we will only cover here major topics:
- SSL
Web Protocol (HTTPS), like most other
public encryption algorithms uses two
part key: one is private, that you keep
hidden on the server, another part is
used to create a request for SSL certificate.
This request is then sent to a Certification
Authority, which can then issue you a
permanent (for one year) certificate.
How to create this key depends on your
server software, but will usually be an
operation like "Create New Certificate
Request"
- After
Certificate Authority company receives
and processes your request, it would create
an SSL certificate for your server. This
certificate also incorporates their special
key, usually called CA signature. A browser
will then check this signature with a
special root CA certificate for that Certificate
Authority, which browser has in its database,
thus it is necessary for a web user to
first download server's certificate to
his or her borrower's database before
it is possible to view this site. Some
browsers, like Netscape will allow you
to process without downloading a servers
root CA certificate but will give you
a warning each time you access that site.
- Browsers
usually come with a number of root CA
for several certificate authorities, but
so far the only Certificate Authority
common to both Netscape Navigator and
Microsoft Explorer is the SSLCA.
- Many
of the SSL Web Servers also come with
or can be extended so that you could run
your own certificate services. If you
are a large corporation which plans to
use ssl for Intranet you should consider
this solution and delegate one server
as a CA server for your entire company.
The other alternative are, so called,
self signed SSL certificates, but they
are very limited, for example Microsoft
Explorer can not use them.
- After
you have received a signed SSL certificate
from your Certificate Authority (or created
self-signed certificate) you can use it
in combination with your private key to
provide SSL security for your web site.
The particular setup depends on your server,
but it is usually very similar to creating
a virtual domain or separate web server
on different port (in fact, your ssl server,
https, will use port 443). Most web servers
allow you to run both http and https servers
as the same service (task, process), this
is ok if only a small portion of a web
site uses SSL security, however if most
of your site is being accessed using SSL,
you should configure to run two separate
server processes for http and https.
- When
you finished configuring SSL server and
have verified that SSL is indeed working,
you will need to change all references
to the portion of the site you wish to
have protected by SSL, so that http
reference URLs become https. Also
make sure that all browsers in your organization
are upgraded to the version that supports
SSL and https urls.
|
|