SSL (Secure Socket Layer) and Secure Web Pages

1
SSL (Secure Socket Layer) and Secure Web Pages

• Rob Sodders, University of Florida
• CIS4930 Advanced Web Design
• Spring 2004
• rsodders_at_cise.ufl.edu

2
What is SSL?

• SSL Secure Socket Layer
• SSL transmits information over the internet in
  encrypted form. The SSL protocol ensures that a
  transmission is sent only from client to server.
• SSL was originally developed by Netscape to
  provide secure transmission between a web browser
  and web server.

3
What is SSL?

• The SSL protocol provides 40-bit1 and 128-bit
  encryption.
• The usage of the SSL protocol is commonly
  denoted by a URL beginning with https (though
  this is not always the case and likewise https
  does not always imply the use of SSL).
• (1) 40 bit encryption 1,099,511,627,776
  possible key combinations

4
Why use SSL?

• Data is usually sent across the internet in plain
  text.
• Unscrupulous individuals often use applications,
  commonly called Sniffers that search for
  patterns that represent potentially valuable
  information, including but not limited to Credit
  Card Numbers, Social Security Numbers, User
  Names/Passwords, etc.

5
How does SSL Work?
6
How does SSL Work?

• Three parts to the SSL protocol
• SSL Server authentication and/or
• SSL Client authentication,
• as well as an encrypted SSL connection.

7
How does SSL Work?

• Client-Side Authentication
• Allows user to check that servers certificate
  and public ID are valid. The users identity with
  this information can be verified with this
  information
• Checks that certificate is issued by a trusted
  certificate authority (i.e. VeriSign). These can
  be expensive.
• Commonly used in online sales.

• Server-Side Authentication
• Allows user to check that servers certificate
  and public ID are valid. The users identity with
  this information can be verified with this
  information
• Checks that a certificate is issued by trusted
  certificate authority (in this case it is often
  the provided to the client by the Server (not
  in a physical sense)
• Not as frequently used. Useful when a server
  needs to validate the identity of the user (i.e.
  a bank sending confidential information to a
  customer).

8
How Does SSL Work?

• An encrypted SSL connection - ensures all
  information sent between a client and a server to
  be encrypted by the sending software and
  decrypted by the receiving software, thus
  providing a high degree of confidentiality. All
  data sent over an encrypted SSL connection is
  protected with a mechanism for detecting
  tampering--that is, for automatically determining
  whether the data has been altered in transit.

9
Implementing SSL on your site.

• First some limitations
• Youre unlikely to have purchased a certificate
  from a trusted provide (the cost of a VeriSign
  certificate begins at 350 year!!).
• SSL toolkit/protocol must be installed on your
  server. Most servers will have this installed. If
  not you may wish to point your System
  Administrator to OpenSSL (www.openssl.org).
• Open SSL is installed on most LAMP setups.

10
Implementing SSL on your site.

• This example is not on my CIS4930 page, but on my
  CISE homepage. We dont have a certificate so in
  actuality this will basic authentication.
• Hopefully this will make the demo a bit more
  useful for everyone (it may be particulary
  useful for anyone taking CEN3031 or CIS4301 in
  the future when attempting the project(s).)

11
Implementing SSL on your site

• In the various directories of your web page you
  need to have a htaccess file (on most servers
  though it is .htaccess file).
• Well do an example using basic authentication
  first and the go about how you would implement
  SSL.
• SIDENOTE You can do many things with your
  htaccess including setting a different default
  homepage (other than index.html), blocking and/or
  allowing only certain IP addresses and domains,
  allowing only certain browsers and OS.

12
Your htaccess file

• If you dont have a htaccess file visit CISE Web
  Help to help in creating one for your CISE
  account.
• Your htaccess file should have something like
  this
• AuthUserFile /cise/homes/rsodders/public_html/ci
  s4930/private/htpasswd
• AuthName Test
• AuthType Basic
• require user test

13
Creating user file on CISE

• To create password for the user test at the
  command prompt
• htpasswd -c /cise/homes/rsodders/public_html/cis49
  30/private/htpasswd test

14
Creating user file on CISE

• Youll be prompted to enter the password for the
  user (Ive used cis4930).
• Ex.
• New password
• Re-type new password
• Adding password for user test

15
Creating user file on CISE

• http//www.cise.ufl.edu/rsodders/cis4930/private/
  is now using basic encryption.

16
If we had a SSL certificate..

• In the htaccess fille
• Replace AuthUserFile with the address of your
  installed/purchased certificate.
• Replace AuthType with SSL.
• Replace/add require with the certificate that the
  client must have.

17
Sources

• Netscape SSL Info http//developer.netscape.com/d
  ocs/manuals/security/sslin/contents.htm
• CISE SSL Certificate http//www.cise.ufl.edu/help
  /access/cert.shtml
• CISE htaccess http//www.cise.ufl.edu/help/web/ht
  passwd.shtml

18
Download these Slides

• http//rob.donotforgetme.com/cis4930.html