Today, online shopping is about as popular as driving to the mall was a few years ago, and registering for a class or seminar is much easier to do online instead of by telephone. But honestly, don't you always hesitate for a second before you enter your credit card number and personal information? So what's behind that HTTP Secure (HTTPS) Internet connection between your browser and the online site's server? Most likely, the online site is using either the Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol.
SSL was initially developed by Netscape and in 1999 was standardized by the Internet Engineering Task Force (IETF) in Request for Comments (RFC) 2246 and named the Transport Layer Security (TLS) protocol. Today, SSL/TLS protocol support comes bundled with many Web servers, such as Microsoft Internet Information Services (IIS). Let's look at some of the hidden traps you might encounter when you configure SSL/TLS for secure Web communications.
How It Works
SSL sits between the application and transport layers of the TCP/IP networking stack and provides security services to a wide range of application-level protocols, such as HTTP for secure Web communications, SMTP for secure mail transfer operations, and Network News Transfer Protocol (NNTP) for secure news operations.
SSL/TLS can provide the following security services:
- Data confidentiality and integrity services—SSL provides channel encryption services (also known as secure channel services) that secure traffic exchanged between an SSL-enabled client and server.
- Server authentication—SSL-enabled applications use an X.509 server certificate to authenticate a server.
- Client authentication—SSL uses an X.509 client certificate to authenticate a client. Client authentication is an optional SSL service and isn't used often because it requires a user to obtain a client certificate.
SSL and TLS are based on symmetric and asymmetric cryptographic protocols (also known as public key cryptography) and X.509 certificates. From an operations viewpoint, SSL/TLS is a client-server handshake protocol. You can set up an SSL/TLS connection between a browser and a Web server by following these steps:
- A client browser connects to a Web server by using a secure URL (i.e., one that begins with https://).
- The Web server sends a server certificate (containing the Web server's public key) to the browser for server authentication. The browser logic checks the server name in the certificate against the name that was provided in the URL.
- Optionally, the browser sends the Web server the client certificate ( containing the client's public key) for client authentication.
- The browser and Web server negotiate the cryptographic ciphers to be used for authentication, integrity, and confidentiality protection during the SSL/TLS exchange.
- The browser and Web server establish a set of cryptographic keys that will be used for SSL channel encryption. The cryptographic mechanisms that establish these keys are based on a cryptographic key agreement protocol, such as the RSA cipher or the Diffie-Hellman protocol.
- The browser and Web server exchange HTTPS data by using the previously established keys (i.e., the server's public key, the client's public key, and the cryptographic keys).
Setting up SSL/TLS on an IIS 6.0 Web server typically includes the following steps:
- Generating a server certificate request file.
- Generating a server certificate.
- Installing a server certificate on the Web server.
- Configuring SSL on a Web server.
- Optionally, generating, acquiring, and installing client certificates.
- Ensuring that SSL clients trust the CA certificate.
Before you begin setting up SSL/TLS, you might want to familiarize yourself with the process of requesting and generating an SSL/TLS server certificate for your IIS Web server. You can issue a test certificate from your internal Windows Public Key Infrastructure (PKI) or request a test certificate from a commercial certificate provider such as VeriSign. (To request a test certificate from VeriSign, go to https://www.verisign.com/cgibin/clearsales_cgi/leadgen.htm?form_id=5191&toc=w44740044735191002&ra=156.153.255.126&email=.)