200 likes | 387 Views
SSL (Secure Socket Layer) and Secure Web Pages. Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004 rsodders@cise.ufl.edu. What is SSL?. SSL = Secure Socket Layer
E N D
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004 rsodders@cise.ufl.edu
What is SSL? • SSL = Secure Socket Layer • SSL transmits information over the internet in encrypted form. The SSL protocol ensures that a transmission is sent only from client to server. • SSL was originally developed by Netscape to provide secure transmission between a web browser and web server.
What is SSL? • The SSL protocol provides 40-bit1 and 128-bit encryption. • The usage of the SSL protocol is commonly denoted by a URL beginning with ‘https’ (though this is not always the case and likewise ‘https’ does not always imply the use of SSL). (1) – 40 bit encryption = 1,099,511,627,776 possible key combinations
Why use SSL? • Data is usually sent across the internet in plain text. • Unscrupulous individuals often use applications, commonly called “Sniffers” that search for patterns that represent potentially valuable information, including but not limited to Credit Card Numbers, Social Security Numbers, User Names/Passwords, etc.
How does SSL Work? • Three parts to the SSL protocol: • SSL Server authenticationand/or • SSL Client authentication, • as well as an encrypted SSL connection.
Client-Side Authentication Allows user to check that server’s certificate and public ID are valid. The user’s identity with this information can be verified with this information Checks that certificate is issued by a trusted certificate authority (i.e. VeriSign). These can be expensive. Commonly used in online sales. Server-Side Authentication Allows user to check that server’s certificate and public ID are valid. The user’s identity with this information can be verified with this information Checks that a certificate is issued by trusted certificate authority (in this case it is often the provided to the client by “the Server” (not in a physical sense) Not as frequently used. Useful when a server needs to validate the identity of the user (i.e. a bank sending confidential information to a customer). How does SSL Work?
How Does SSL Work? • An encrypted SSL connection - ensures all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. All data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering--that is, for automatically determining whether the data has been altered in transit.
Implementing SSL on your site. • First some limitations: • You’re unlikely to have purchased a certificate from a trusted provide (the cost of a VeriSign certificate begins at $350 year!!). • SSL toolkit/protocol must be installed on your server. Most servers will have this installed. If not you may wish to point your System Administrator to OpenSSL (www.openssl.org). • Open SSL is installed on most “LAMP” setups.
Implementing SSL on your site. • This example is not on my CIS4930 page, but on my CISE homepage. We don’t have a certificate so in actuality this will “basic authentication”. • Hopefully this will make the demo a bit more useful for everyone (it may be particulary useful for anyone taking CEN3031 or CIS4301 in the future when attempting the project(s).)
Implementing SSL on your site • In the various directories of your web page you need to have a htaccess file (on most servers though it is .htaccess file). • We’ll do an example using basic authentication first and the go about how you would implement SSL. • SIDENOTE: You can do many things with your htaccess including setting a different default homepage (other than index.html), blocking and/or allowing only certain IP addresses and domains, allowing only certain browsers and OS.
Your htaccess file • If you don’t have a htaccess file visit CISE Web Help to help in creating one for your CISE account. • Your htaccess file should have something like this: AuthUserFile /cise/homes/rsodders/public_html/cis4930/private/htpasswd AuthName Test AuthType Basic require user test
Creating user file on CISE • To create password for the user test at the command prompt: htpasswd -c /cise/homes/rsodders/public_html/cis4930/private/htpasswd test
Creating user file on CISE • You’ll be prompted to enter the password for the user (I’ve used ‘cis4930’). Ex. New password: Re-type new password: Adding password for user test
Creating user file on CISE • http://www.cise.ufl.edu/~rsodders/cis4930/private/ is now using basic encryption.
If we had a SSL certificate.. • In the “htaccess” fille: • Replace AuthUserFile with the address of your installed/purchased certificate. • Replace AuthType with ‘SSL’. • Replace/add require with the certificate that the client must have.
Sources • Netscape SSL Info: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm • CISE SSL Certificate: http://www.cise.ufl.edu/help/access/cert.shtml • CISE htaccess: http://www.cise.ufl.edu/help/web/htpasswd.shtml
Download these Slides… • http://rob.donotforgetme.com/cis4930.html