Lesson 5: Providing Secure Communication

Lesson 5: Providing Secure Communication

Up to now, we ve discussed security as a matter of identifying users and preventing unauthorized users from accessing your Web applications, but it s just as important to ensure that sensitive data sent across the Internet can t be read by others.

To provide secure communication across the Internet, IIS supports a standardized means of encrypting and decrypting Web requests and responses. This cryptography requires that you request an encryption key called a server certificate from an independent third party called a certificate authority.

After this lesson, you will be able to

• Understand the process of using the Secure Sockets Layer (SSL) in IIS

• Get a server certificate to enable secure, encrypted communication between your Web application and users

• Begin secure communication between a user and your Web application

• End secure communication

• Require secure communication before users can access a Web form

Estimated lesson time: 20 minutes

Enabling Secure Communication

The Secure Sockets Layer (SSL) is the standard means of ensuring that data sent over the Internet can t be read by others. When a user requests a secure Web page, the server generates an encryption key for the user s session and then encrypts the page s data before sending a response. On the client side, the browser uses that same encryption key to decrypt the requested Web page and to encrypt new requests sent from that page. Figure 8-16 illustrates the process.

Figure 8-16. Secure communication using SSL

Using SSL in your application requires special authorization from a recognized certificate authority. This authorization comes in the form of a server certificate, which you install in IIS to identify your server. The certificate authority licenses server certificates (for a fee) and acts as a clearinghouse to verify your server s identity over the Internet.

When a user s browser begins secure communications, it requests the server certificate and checks it against a list of trusted sites provided by the certificate authority. If the server certificate does not match one of the sites already authorized by the user, or if the server certificate does not match the Web address for which it was registered, or if there are any other problems with the server certificate, the browser displays a warning, as shown in Figure 8-17.

Figure 8-17. Problems with the server certificate

In this way, the certificate authority not only provides encryption for secure data transmission, but it also provides assurance to users that your Web site is authentic. The largest certificate authority is VeriSign. At the time of this writing, in addition to their fee-based services, they also offer free trial certificates for testing and evaluation at http://www.verisign.com.

To use SSL in your Web application, follow these steps:

1. Generate a certificate request from IIS.

2. Request a certificate from a certificate authority.

3. Install the certificate on the server using IIS.

4. Install the certificate on browsers if you are using a test certificate.

5. Use the Secure Hypertext Transfer Protocol (HTTPS) when accessing secure pages in your application.

The following sections describe these steps in greater detail.

Generating a Certificate Request

Before you can request a server certificate from a certificate authority, you must generate a certificate request from IIS. The certificate request contains encrypted information about your server that the certificate authority uses to identify your server over the Internet.

To generate a certificate request from the IIS snap-in:

1. Select Default Web Site in the console tree of the IIS snap-in, and then choose Properties from the Action menu. IIS displays the Default Web Site Properties dialog box.

2. Click the Directory Security tab in the Properties dialog box, and then click Server Certificate. IIS starts the Web Server Certificate Wizard, as shown in Figure 8-18.

   

   Figure 8-18. The Web Server Certificate Wizard

3. Step through the wizard by reading each screen and clicking Next. The wizard instructions are straightforward.

4. When you click Finish at the end, the wizard creates an encrypted text file with the .cer file extension. That file is the certificate request that you send to the certificate authority.

IIS requires that a certificate be created at the server root before secure communications can be created or configured for subordinate sites on the server. That s why you have to select Default Web Site (or the root Web site if you have renamed it) in step 1. After you have installed a server certificate at the root, you can repeat the process for subordinate sites if you want separate certificates for those sites.

Requesting a Certificate

The process of requesting a server certificate from a certificate authority varies depending on the certificate authority you select. As mentioned earlier, VeriSign provides test certificates at no cost, which suits the purposes of this book very well!

To request a server certificate, follow these steps:

1. Visit the certificate authority s Web site, and request a server certificate for SSL. The various levels of security and support are typically based on an annual fee.

2. Select the type of server certificate you want to request, and complete the registration information for the request.

3. Copy or e-mail the certificate request you created in the preceding section to the certificate authority.

Once approved, the certificate authority will send you the server certificate, usually as part of an e-mail message. Save the certificate as a text file with the .cer file extension by cutting and pasting it into Notepad or some other editor, as shown in Figure 8-19.

Figure 8-19. Saving the server certificate

Installing the Certificate

After you have saved your server certificate, you can install it in IIS to enable SSL for your Web applications.

To install a server certificate in IIS:

1. Select Default Web Site in the console tree of the IIS snap-in, and then choose Properties from the Action menu. IIS displays the Default Web Site Properties dialog box.

2. Click the Directory Security tab in the Properties dialog box, and then click Server Certificate. IIS starts the Web Server Certificate Wizard.

3. Click Next, and select Process The Pending Request And Install The Certificate, as shown in Figure 8-20.

   

   Figure 8-20. Installing the certificate with the IIS Web Server Certificate Wizard

4. Click Next, and enter the name of the certificate file, as shown in Figure 8-21. The certificate file is the file you created in the preceding section.

   

   Figure 8-21. Entering the name of the server certificate file

5. Click Next, and then click Finish to complete the installation.

Using Secure Communications

After you have installed the server certificate, secure communication is enabled for any Web pages requested through HTTPS. For example, the following hyperlink displays a secure Web page, as shown in Figure 8-22.

<a href="https://www.contoso.com/mscdkit/Secure.aspx">Go to secure page.</a>

Figure 8-22. Secure Web page

The protocol HTTPS is what initializes the secure communication. When you ve begun secure communication, it continues until you specify a nonsecure site. For example, clicking the Go Back link on the page shown in Figure 8-22 continues the secure communication because the link uses a relative address, as shown here:

<a href="Default.aspx">Go Back (still secure).</a>

To end secure communication, you need to include http in the URL, as in the following link:

<a href="http://www.contoso.com/mscdkit/Default.aspx"> Go Back (not secure).</a>

IIS lets you require secure communication for specific folders or files in your Web application. This prevents users from accidentally (or intentionally) viewing a secure page using nonsecure HTTP.

To require secure communication for a Web page using IIS, follow these steps:

1. Select the folder or file that requires secure communication, and then choose Properties from the Action menu. IIS displays the Properties dialog box.

2. Click the Directory Security tab, and then click Edit in the Secure Communications group. IIS displays the Secure Communications dialog box, as shown in Figure 8-23.

   

   Figure 8-23. The Secure Communications dialog box

3. Select the Require Secure Channel (SSL) check box, and click OK.

When you require secure communication for a Web page, that page can t be viewed using HTTP. The user must type in or click a link using https; otherwise, access is denied, as shown in Figure 8-24.

Figure 8-24. Access denied

Because the difference between using http and https is a somewhat obscure distinction for most users to remember, it s important to provide an http entry point for your application that links to the secure (HTTPS) pages. The http entry point can be simply a default page within the Web site that immediately redirects the user to the secure site. Requiring secure communication for an entire Web site is a sure way to cut traffic down to zero!