Tip

Using HTTPS: How to encrypt and secure a website

You might know that it's possible to secure a website with encryption technology, but do you know what that "S" at end of HTTPS really signifies or how to implement HTTPS on

    Requires Free Membership to View

your organization's website?

In this tip, we take a look at the use of the Secure Sockets Layer (SSL) to secure website communications with encryption.

First, it's important to set your expectations appropriately. The use of a security certificate on a website has two (and only two!) purposes. It will:

  1. Protect communications between the client and the server from eavesdropping.
  2. Provide the client with assurances about the server's identity, protecting against phishing and other impersonation attacks.

That's it. Using HTTPS communications will not protect you against improperly coded Web applications, SQL injection, cross-site scripting, denial-of-service (DoS) attacks or any other Web threats. If you understand the risks that encryption protects you against, it can be a valuable tool in your Web security arsenal.

What is HTTPS?
You're likely already familiar with the HyperText Transfer Protocol (HTTP): the protocol behind the Web. In its basic form, HTTP uses unencrypted communications to transfer data between the client and server. Therefore, anyone who has access to any network segment between you and the server (on your network, on the server's network or any place in between) is able to view the contents of your Web surfing.

If you wish to avoid this eavesdropping, which is critical for financial transactions, sensitive personal information exchange or many other private applications, you can use the HyperText Transfer Protocol Secure (HTTPS). This protocol adds encryption using the Secure Sockets Layer (SSL) to the basic HTTP specification. Here's a simplified view of how it works:

The encryption basics

If you're having a difficult time following the details of the encryption that's taking place in this process, you may wish to read How symmetric and asymmetric encryption work.
  1. You start your Web browser and request a secure page by using the https:// prefix on the URL.
  2. Your Web browser contacts the Web server on the HTTPS port (TCP port 443) and requests a secure connection.
  3. The server responds with a copy of its SSL certificate.
  4. Your Web browser uses the certificate to verify the identity of the remote server and extract the remote server's public key.
  5. Your Web browser creates a session key, encrypts it with the server's public key and sends the encrypted key to the server.
  6. The server uses its private key to decrypt the session key.
  7. The client and server use the session key to encrypt all further communications.

How to implement HTTPS on a website
It's fairly easy to secure your website with an SSL certificate, enabling users to connect via an HTTPS encrypted connection. Before you can do so, you must obtain an SSL certificate from a certificate authority (CA). These vary widely in cost, with the three major vendors (Verisign Inc., Thawte Consulting Ltd. and GeoTrust) charging between $150-$400 per year for a basic certificate.

Email encryption

Mike Chapple reviews how to encrypt email in Outlook.
Choosing a reputable certificate authority is extremely important. During the certificate purchase process, the CA will verify your identity before issuing the certificate. Users must trust that the CA is performing appropriate due diligence before issuing the certificate. More importantly, you almost always want to choose one of the CAs included on the Windows Trusted Root CA list. If you use a CA not included on this list, visitors to your website using Windows systems will see a warning message that your certificate may not be valid.

Once you obtain your certificate, you must install it on your Web server. Step-by-step instructions are available for installing digital certificates in Microsoft Internet Information Server (IIS) or Apache Web server.

Conclusion
Installing a digital certificate and providing users with the ability to make HTTPS connections to your Web server is one of the simplest ways you can add security to your website and build user confidence in conducting transactions with you over the Web. It provides the all-important "lock" icon in their Web browsers and ensures their communications are not subject to eavesdropping on the Internet.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.