Web Connectivity

The Internet allows users to connect to millions of sources of information, services, products, and other functionality through what has come to be known as the World Wide Web (or simply, the Web ). Business transactions, membership information, vendor/client communications, and even distributed business logic transactions can all occur using the basic connectivity of the Web, which uses the Hypertext Transport Protocol (HTTP) on TCP port 80.

Chapter 5 deals with the vulnerabilities of many Web-based technologies. In this chapter, we focus only on the protocols SSL, TLS, and HTTPS , which are used to secure basic communications with a Web server.

Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) protocol communications occur between the HTTP (Application) and TCP (Transport) layers of Internet communications. SSL establishes a stateful connection negotiated by a handshaking procedure between client and server. During this handshake, the client and server exchange the specifications for the cipher that will be used for that session. SSL communicates using an asymmetric key with a cipher strength of 40 or 128 bits.

Transport Layer Security (TLS)

Another asymmetric key encapsulation, currently considered the successor to SSL transport, is the Transport Layer Security (TLS) protocol, which is based on Netscape's Secure Sockets Layer 3.0 (SSL3) transport protocol. TLS provides encryption using stronger methods , such as the Data Encryption Standard (DES), or it may be used without encryption altogether, if desired, for authentication only.

TLS has two layers of operation:

• TLS Record Protocol This protocol allows the client and server to communicate using some form of encryption algorithm or without encryption if desired.

• TLS Handshake Protocol This protocol allows the client and server to authenticate one another and exchange encryption keys to be used during the session.

SSL transport and TLS transport are similar but not entirely interoperable.

Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)

Basic Web connectivity using HTTP occurs over TCP port 80. An alternative to this involves the use of SSL transport protocols operating on port 443. To differentiate a call to port 80 ( http:// servername / , where servername is the name of your server), HTTP over SSL makes calls on port 443 to utilize HTTPS as the URL port designator ( https:// servername / ).

HTTPS was created by the Netscape Corporation and originally used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and Web server, although it can also support the use of X.509 digital certificates to allow the user to authenticate the sender. Now, 128-bit encryption keys are available, which have become the accepted level of secure connectivity for online banking and electronic commerce transactions.