Secure Sockets Layer

Previous page
Table of content
Next page


As explained earlier, it’s not difficult for malicious people to intercept and read the packets that make up the requests and responses between a browser and your Web server. A fundamental security measure, therefore, is to secure the data transmission for your application. The most common way to protect a data transmission is to use SSL (secure sockets layer). When SSL is used, all communications between browser and Web site is encrypted—if hackers intercept the packet on the way, they won’t be able to understand the packet’s contents. There are a number of advantages to using SSL:

  • Very easy to implement You can enable SSL by installing a certificate and configuring the Web site’s virtual directory.

  • Supported by all major browsers SSL is a common standard; it’s supported by Netscape Navigator, Microsoft Internet Explorer, and other browsers on all platforms including Windows, Macintosh, and GNU/Linux.

  • Visible It’s easy for the user to know when SSL is being used. Just as http:// is the protocol for unsecured Internet traffic, https:// is the protocol for SSL Internet traffic. Any URL that starts with https:// is using SSL.

  • Bidirectional Both information sent from the client to the Web server and from the Web server to the client is encrypted.

With these advantages, you might think it makes sense to use SSL everywhere. While this is possible, there are two main disadvantages to using SSL:

  • Speed SSL encryption adds encryption/decryption overhead to all communication, making the Web surfing experience a little slower. How much slower? It depends on the server load and how many people are concurrently requesting information that needs to be encrypted or decrypted.

  • Resources Not only does SSL encryption require extra CPU cycles on the server for encryption and decryption, it also requires the server to maintain each user’s private key in the server-session state.

  • Cost Each site that uses SSL requires a unique certificate be installed on the server. These certificates have to be purchased from a certificate authority.

How SSL Works

Chapter 1 introduced the concepts of hashes, public key encryption, and private key encryption. SSL uses all three of these technologies to ensure secure communication. SSL is a technology that spans both ASP.NET and Internet Information Server, so to implement SSL, you’ll need to configure both applications. SSL is based on certificates, and the first thing you’ll do to enable SSL is obtain a certificate. A certificate is a file, approximately 1 KB in size, containing a public key for your Web site, some information about your company, and a signed verification hash (for authentication of the certificate). When a user browses to an SSL-secured page, her browser will download your site’s certificate and verify the certificate is both authentic and valid. The browser then generates a unique private key, encrypts the private key using the public key found in the certificate, and sends the encrypted private key to the server. The server decrypts the private key, and the client and server then use this private key for subsequent communications. Every client uses a different private key. A key is valid for an entire session.

For a certificate to be considered valid, it must be signed by an online certificate authority. Internet Explorer recognizes a number of certificate authorities. To see the list of certificate authorities, in Internet Explorer, choose the menu item Tools|Internet Options, click the Content tab on the Internet Options dialog box, and click the Certificates button. Figure 5-3 shows the trusted certificate authorities.

click to expand
Figure 5-3: Trusted certificate authorities in Internet Explorer

Obtain a test certificate

Certificate authorities charge for certificates; however, most certificate authorities will allow you to download a free trial certificate for testing purposes. In the following exercise, you will install a test certificate from VeriSign:

  1. In Internet Explorer, navigate to the Web site http://www.verisign.com.

  2. Click the link Free SSL Trial ID. The resulting page will ask for some basic contact information. Fill in the requested information, and click Submit.

  3. You will be prompted to create a CSR (certificate signing request) and submit it to VeriSign. VeriSign includes instructions for creating a CSR at this location http://www.verisign.com/support/csr.

  4. VeriSign will e-mail you the test certificate, with instructions for how to install it. Included in the instructions are directions for installing the VeriSign test root certificate, which contains the certificate, used to test the authenticity of your test certificate.

    Note

    For more information on setting up SSL, see the following articles: “Setting up SSL on Your Server” at http://www.microsoft.com/windows2000/en/server/iis/htm/core/iisslsc.htm and “HOW TO: Enable SSL for All Customers Who Interact with Your Web Site” at http://support.microsoft.com/default.aspx?scid=KB;en-us;q298805.

Add SSL to the EmployeeManagementWeb application

Now that the certificate is installed on the computer, you will configure the EmployeeManagementWeb application so that the secure section is accessed via SSL. Using the Internet Information Services (IIS) manager, you can specify that all or only part of a Web site requires SSL for access, and in this exercise, you will configure just the Secure folder for SSL.

  1. Start Internet Information Services manager by choosing Run on the Start menu, typing inetmgr.exe, and clicking Enter.

  2. Expand the nodes in the TreeView until you locate the Local Computer|Web Sites|Default Web Site|EmployeeManagementWeb|Secure folder.

  3. Right-click the Secure folder, and click Properties on the shortcut menu to open the Secure Properties dialog box.

  4. In the Directory Security tab, there is a section named Secure Communications. Click the Edit button to open the Secure Communications dialog box.

  5. Check the Require Secure Channel (SSL) check box, as shown in the following illustration, and click the OK button to turn on SSL security for this directory.

    click to expand

    Now that SSL security is turned on, the URLs for all pages in this directory have to be accessed using https instead of http. Because of this, you’ll need to change the URL of the hyperlink to use https.

  6. In Microsoft Visual Basic .NET, open the project EmployeeManagementWeb.sln.

  7. Open the default.aspx page, and double-click the background of the page to open the Page_Load event. Enter the following code in the event:

    Private Sub Page_Load(ByVal sender As System.Object, _
    ByVal e As System.EventArgs) Handles MyBase.Load
     Dim strURL, strBase As String
     ’Derive the address of the secure page
     strURL = Me.HyperLink1.NavigateUrl()
     strBase = Me.Request.Url.AbsoluteUri
     strURL = "https" & strBase.Substring(4, _
     strBase.LastIndexOfAny("/\") - 3) & strURL
     ’Change the hyperlink’s URL to point to the
     ’secured page.
     Me.HyperLink1.NavigateUrl = strURL
    End Sub

  8. Press F5 to run the application. When you navigate to any page in the secure section, the client and server will use SSL to communicate, encrypting all information sent over the network.


Previous page
Table of content
Next page
Security for Microsoft Visual Basic .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168
BUY ON AMAZON
Beginning Cryptography with Java
High-Speed Signal Propagation[c] Advanced Black Magic
The .NET Developers Guide to Directory Services Programming
Image Processing with LabVIEW and IMAQ Vision
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Web Systems Design and Online Consumer Behavior
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy