Using the Secure Sockets Layer

The Secure Sockets Layer (SSL) is a protocol, originally developed by Netscape, for transmitting information securely across an unsecure network. SSL is the only existing method for sending private information across the Internet that works with the majority of current browsers. SSL provides a technical solution to three distinct security problems: encryption, authentication, and data integrity.

Encryption

When you enter information into an HTML form and submit it at a Web site, the information is transmitted from your browser to the Web site's server. As the information travels across the Internet, it typically passes through several intermediate connections. In theory, the data entered into the form can be intercepted and read.

The problem of interception is analogous to the situation a general faces when he must send a message containing secret plans across enemy territory. As the messenger travels across the unknown territory, he could be captured, and the enemy could steal and read the secret plans.

The proper solution, for both the general and for the person entering information into the HTML form, is to encrypt the message before it is sent across hostile territory. Even if the message is captured, the privacy of the information is protected ”unless, of course, the secret code is cracked.

SSL encrypts information as it passes back and forth between a Web server and Web browser. The information is encoded using a publicly known encryption algorithm and a secret session encryption key. The number of bits in the session key determines the strength of the encryption.

When you installed Internet Information Server, by default, you installed a version of IIS that supports a 40-bit session encryption key. However, you have the option of upgrading IIS to use a stronger 128-bit session encryption key. Although messages encrypted with the 40-bit key have been cracked, messages encrypted with the 128-bit key are considered unbreakable with current technology.

Why not always use the 128-bit key? There are two reasons. First, communicating using a 128-bit key can be significantly slower than using the 40-bit key. The longer the key, the more work the server and browser must perform to encrypt and decrypt the messages passed back and forth.

Furthermore, until recently, legal restrictions were placed on using the longer 128-bit key. In the past, the United States government classified 128-bit SSL as munitions. It therefore was illegal, with certain exceptions, to export any program that supports this stronger encryption outside the United States or Canada. This restriction applies to both Web servers and Web browsers.

Recently, the government has relaxed its position. However, many users still have browsers that do not support 128-bit SSL, especially outside the United States.

Normally, if you install a 128-bit session key on your Web server, the Web server automatically negotiates the highest level of encryption to use for securing communication. If someone opens a connection using a browser with a 40-bit key, your server automatically uses this level of encryption. However, you also can configure IIS to reject browsers that do not support the stronger 128-bit key.

Authentication

If you visit a Web site that appears to be Amazon.com in every way, you might feel safe providing your credit card information to buy a book. However, a clever thief could create a Web site that is indistinguishable from Amazon.com and steal your credit card information.

To return to the example of the general sending a message across enemy territory, imagine that the enemy decides to impersonate the intended recipient of the secret plans. The general and imposter decide on a secret code, and the messenger delivers the message encoded with the secret code. However, the messenger has delivered the secret plans to the imposter.

To prevent one Web site from pretending to be another, you can use SSL to authenticate a Web site. When you install SSL on your Web server, you must install a server certificate . This certificate is used to verify your Web site's identity in much the same way as your driver's license or passport is used to verify your personal identity. A server certificate contains information about your organization, your Web site, and the issuer of the certificate.

To work as a digital ID, a server certificate must be signed by a certificate authority . A certificate authority acts as a trusted third party that verifies the identity of a Web site for its users. Whenever you open a page using SSL, the information from the server certificate is included. For example, using Internet Explorer, you can view the certificate information for the home page of the Microsoft site. Enter http://www.microsoft.com into the address bar of your browser and choose File, then Properties, then click the Certificates button (see Figure 21.1).

Instead of using a third-party certificate authority, you also can issue and sign your own certificates using Microsoft Certificate Services (included with Windows 2000). In other words, you can be your own certificate authority. Being your own certificate authority is valuable when you need to authenticate multiple computers in your organization to members of your organization. However, if your Web site is public, you should use a third-party certificate authority such as Verisign because a server certificate is only as trustworthy as its issuer.

SSL version 3.0 also supports client certificates . Client certificates work in exactly the same way as server certificates except that they are used to authenticate Web browsers rather than Web servers. Both Microsoft Internet Explorer (version 3.0 and higher) and Netscape Navigator (version 3.0 and higher) support client certificates. You can get a client certificate from a certificate authority, or you can use Microsoft Certificate Services to issue your own.

Data Integrity

Imagine that a malicious individual decides to alter a message as it is transmitted across the Internet. This individual does not read the message or prevent the message from being transmitted. The message is simply vandalized.

To return to the example of the general, suppose that the messenger successfully delivers the general's secret plans to the intended recipient. Without the messenger's knowledge, however, the secret plans were switched while the messenger was crossing the enemy terrain. The wrong plans have been delivered.

SSL protects the integrity of data as it crosses the Internet. When messages are transmitted with SSL, they include a message authentication code ( MAC ). This code detects whether a message has been altered . In other words, when you use SSL, you know that the message received is the same as the message sent.

How Secure Is SSL?

How safe is SSL? Can you use SSL to safely transmit credit card information or private business documents across the Internet? All the major commercial Web sites on the Internet that accept credit card information currently use SSL. For example, Amazon.com has accepted credit card information from more than 4.5 million customers using SSL.

The real answer is that you do not have much choice. If you want to convey private information across the Internet without forcing your Web site's users to download special programs such as Wallets, ActiveX components , or Java applets, you must use SSL. SSL is the only method of sending private information that is supported by the majority of browsers.