So, You Want Your Pages to be Encrypted, Huh?

By Curtis Dicken

Use these bookmarks to jump around the tutorial:

[Why use Encryption?]
[How Does it Work?]
[How Do I Set it Up?]
[So, What's the Downside?]

 

As a webmaster, security can be a very real and common concern. As a rule, the average website visitor knows only the basics of what web security is all about. Most everyone knows to look for the little padlock icon in the bottom of their browser to know when they are dealing with a secured page. The slightly more advanced user will know how to tweak their security settings in their browser. Only the advanced users truly understand how the whole process works. Hopefully, after reading this tutorial you will at least consider yourself among the more advanced.

 

Why Use Encryption?

 

We pass a tremendous amount of sensitive information back and forth via the internet, VPN's (Virtual Private Networks), LAN's (Local Area Networks), etc. every day. What is to stop hackers and thieves from tapping in to that sensitive information and using it to their own gain? That would be the SSL (Secured Socket Layer) for one.

 

In these days of information there are a great number of reasons web designers and developers use secured pages. Here are some of the most common reasons web developers use secured pages:

  • Protect user identities and passwords

  • Protect credit card transactions and other sensitive information during online consumer purchases

  • Allows users to safely view personal and business financial information

  • Secure the transmissions of other sensitive personal information like your social security number

  • Keep secret sensitive corporate information being passed between branches, divisions, etc.

Granted, there are many more reasons you may come across a need for security but the short list above gives you some of the highlights. Hopefully, you see that without the ability for encryption many of the online resources we take for granted today would not be possible.

 

back to top

 

How Does it Work?

 

You're going to love this. Alright, well, maybe not.

 

If I went into the complete explanation of the process I would have you bored to tears in less than 5 minutes. So, in order to keep you from slamming your head on your keyboard I'm going to give you the abbreviated version. Here it goes.

 

First: A client (that's the browser) requests a SSL connection with the server
Second: The server sends a Certificate (Ill explain the certificate in a second)
Third: The client validates the Certificate, creates a session key and encrypts the Certificate with the key
Fourth: The server decrypts the session key and establishes the encrypted connection

Thats not so bad, however, you have yet to send any real information. All you have right now is an established connection. Now it gets interesting. The Certificate that the server sent out is what makes this whole process work. A Certificate is obtained from a Certificate Authority, which is sort of like a notary public that verifies the Certificates authenticity, hence the name. The Certificate contains the common name of the server, making it impossible to use on other servers. It also uses keys, a public and private key, to create and verify a secured connection.

I hope this satisfies your general curiosities.

 

back to top

 

How Do I Set it Up?

 

Sound kind of handy and cool so far? Wondering how unbelievably difficult this will be?

 

Well, amazingly enough it really isn't all that tough to do. For the most part there are only two ways to set up a SSL.

 

The first is to set up SSL on your own server. Now, I realize that most of you are not running your own web server so I will cover just the highlights. In order to set it up you would need a server running IIS (Internet Information Services) like Microsoft's Windows 2000 Server and be familiar enough with servers and network configurations to set it up. Next you would need a Certificate, like the one I mentioned above, which you can get from a certificate authority like VeriSign or you can even create a Certificate yourself. Once you have the pieces put together it's really as simple as creating a folder in your web where all of your secured pages are stored and routing all references to your secured pages through your secured server.

 

Or you could use the secured server that your web host has already set up. Wow, doesn't that sound a whole lot easier.

 

Most web hosts already have a secured server already set up and ready to use. These are referred to as Shared Secure Servers or Shared SSL since the server takes care of security for several different webs. If your site is hosted by a provider, odds are you have this service available to you at no additional charge. If your site is being hosted for free (like on a personal web server with your ISP) you will probably not have a secured server available to you and if you do you can probably expect to pay for it. As a general rule, the free hosting services don't come with the bells and whistles like Shared SSL.

 

Simply contact your provider and see if you have the service available to you. If you do, you or they will create a special folder within your web for your secured pages. They should also provide with a URL reference that routes through their secured server to your secured folder. The URL should look something like this: https://www.WebHostSecure.com/YourWeb/YourFolder/YourPage.html

 

Be sure that the URL reads https. That "s" on the end is what designates the link as secured. Believe it or not, that's all there is to it. Most of the work is already done for you. Now you have the ability to keep you pages, forms and whatever else safe from spying eyes. Ahhhh, do you feel the power?

 

back to top

 

So, What's the Downside?

 

Why wouldn't you just want to secure every page that you create as a matter of practice? Well, there's one simple and very good reason. Speed.

 

When you use the encryption capabilities every bit of information sent back and forth is encrypted and decrypted. That includes graphics, photographs, text, data, etc. and it can create quite a drag on both upload and download time. If you encrypted everything, your visitors would probably become very impatient with your site and surf off somewhere else. A good rule of thumb is to only use encryption when absolutely necessary and consolidate your encryption needs in to as few pages as possible.

 

Well, I hope this gives you some good working knowledge of SSL and encryption. For most of you it will be as simple as emailing your host and having SSL set up for your web. Good luck and happy coding!

 

back to top
 

 

 

 



Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
  •  
  •  
  •