Secure Sockets Layer

Secure Sockets Layer allows secure browsing across an unsecured network by encrypting all information sent in both directions. To implement SSL, you must obtain a certificate from a certification authority such as VeriSign because SSL is built on a public-key cryptosystem. You then apply that certificate to the Web server. Once the certificate is applied, you can mark any virtual directory on that Web server as requiring SSL for access.

Figure 22-7 shows the Secure Communications dialog box within the Microsoft Management Console (Internet Information Server), where you can select the Require Secure Channel When Accessing This Resource check box. This check box is grayed out until you install a certificate on your Web server. In fact, if you have not yet installed a certificate and you try to access this dialog box (via the Secure Communications group box on the Directory Security tab of the Default Web Site Properties dialog box), you'll be presented with the Key Manager application. After installing your certificate on IIS, you'll also need to stop and restart the WWW service to have the check box enabled.

Figure 22-7. The Secure Communications dialog box within the Microsoft Management Console (Internet Information Server) showing the Require Secure Channel check box.

If you want to try out Secure Sockets Layer, VeriSign offers a two-week trial certificate that you can obtain from its Web site (at http://www.verisign.com). After you complete a form on that site, VeriSign will send you the free certificate via e-mail. This certificate will allow you to experiment with applying SSL to selected virtual directories on your Web server. Of course, it is intended for trial purposes only and is not for production use. Installing a server-side digital certificate on your Web server is a straightforward process and takes only a couple of minutes.

When you enter a secure area within your site, the padlock icon in the lower right corner of Microsoft Internet Explorer will appear locked. You'll also get a message from the browser that you are entering a secure area. The protocol listed in the URL address will also switch from http: to https:, which is known as Secure HTTP—the secure form of the HTTP protocol. To switch to HTTPS, you have to make this change to the URL in the hyperlinks within your Web pages.

For SSL to work, the user's browser must contain the requisite encryption software. Most popular browsers support SSL, including Netscape Navigator and Internet Explorer. Browsers that don't support SSL cannot access an SSL-secured site.

To better understand how the server and a browser engage in an SSL-secured session, imagine the following conversation:

Browser: I'd like to see your default.htm page, please.

Server: I am a secure Web server and will let you look at that page only if you are an SSL-enabled browser—which I see you are. Here is a copy of my certificate issued by a certification authority, so you know that I am the server you are trying to reach. Do you accept it?

Browser: Thank you. I have confirmed that your certificate is valid and was issued by a certification authority that I recognize. I also notice that it has not yet expired. I will encrypt all communications with you and show a special icon to my users so that they know that we'll keep their secrets. I will use the https:// prefix on my requests for pages.

Server: I will also encrypt communications. Anyone who tries to figure out what we're saying to one another will be wasting time.

NOTE

---

Encryption is a processor-intensive activity. Thus, greater demands are placed on the CPU of both the client and the server when communicating via SSL. Furthermore, by definition the encrypted data appears to be completely random. Data compression is done through the exploitation of discernible patterns in that data. Because the data has no discernable patterns, any communications devices (modems) that rely on data compression to speed throughput will not offer the same high performance that they would with unencrypted data. In other words, SSL can significantly reduce throughput.