You might know that it's possible to secure a website with encryption technology, but do you know what that "S" at end of HTTPS really signifies or how to implement HTTPS on your organization's website?
In this tip, we take a look at the use of the Secure Sockets Layer (SSL) to secure website communications with encryption.
First, it's important to set your expectations appropriately. The use of a security certificate on a website has two (and only two!) purposes. It will:
- Protect communications between the client and the server from eavesdropping.
- Provide the client with assurances about the server's identity, protecting against phishing and other impersonation attacks.
That's it. Using HTTPS communications will not protect you against improperly coded Web applications, SQL injection, cross-site scripting, denial-of-service (DoS) attacks or any other Web threats. If you understand the risks that encryption protects you against, it can be a valuable tool in your Web security arsenal.
What is HTTPS?
You're likely already familiar with the HyperText Transfer Protocol (HTTP): the protocol behind the Web. In its basic form, HTTP uses unencrypted communications to transfer data between the client and server. Therefore, anyone who has access to any network segment between you and the server (on your network, on the server's network or any place in between) is able to view the contents of your Web surfing.
If you wish to avoid this eavesdropping, which is critical for financial transactions, sensitive personal information exchange or many other private applications, you can use the HyperText Transfer Protocol Secure (HTTPS). This protocol adds encryption using the Secure Sockets Layer (SSL) to the basic HTTP specification. Here's a simplified view of how it works:
- You start your Web browser and request a secure page by using the https:// prefix on the URL.
- Your Web browser contacts the Web server on the HTTPS port (TCP port 443) and requests a secure connection.
- The server responds with a copy of its SSL certificate.
- Your Web browser uses the certificate to verify the identity of the remote server and extract the remote server's public key.
- Your Web browser creates a session key, encrypts it with the server's public key and sends the encrypted key to the server.
- The server uses its private key to decrypt the session key.
- The client and server use the session key to encrypt all further communications.
How to implement HTTPS on a website
It's fairly easy to secure your website with an SSL certificate, enabling users to connect via an HTTPS encrypted connection. Before you can do so, you must obtain an SSL certificate from a certificate authority (CA). These vary widely in cost, with the three major vendors (Verisign Inc., Thawte Consulting Ltd. and GeoTrust) charging between $150-$400 per year for a basic certificate.
Choosing a reputable certificate authority is extremely important. During the certificate purchase process, the CA will verify your identity before issuing the certificate. Users must trust that the CA is performing appropriate due diligence before issuing the certificate. More importantly, you almost always want to choose one of the CAs included on the Windows Trusted Root CA list. If you use a CA not included on this list, visitors to your website using Windows systems will see a warning message that your certificate may not be valid.
Once you obtain your certificate, you must install it on your Web server. Step-by-step instructions are available for installing digital certificates in Microsoft Internet Information Server (IIS) or Apache Web server.
Installing a digital certificate and providing users with the ability to make HTTPS connections to your Web server is one of the simplest ways you can add security to your website and build user confidence in conducting transactions with you over the Web. It provides the all-important "lock" icon in their Web browsers and ensures their communications are not subject to eavesdropping on the Internet.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.