Use these bookmarks
to jump around the tutorial:
[Why use Encryption?]
[How Does it Work?]
[How Do I Set it Up?]
[So,
What’s the Downside?]
As a webmaster, security can be a very real and common concern. As a rule,
the average website visitor knows only the basics of what web security is all
about. Most everyone knows to look for the little padlock icon in the bottom of
their browser to know when they are dealing with a secured page. The slightly
more advanced user will know how to tweak their security settings in their
browser. Only the advanced users truly understand how the whole process works.
Hopefully, after reading this tutorial you will at least consider yourself among
the more advanced.
Why Use Encryption?
We pass a tremendous amount of sensitive information back and forth via the
internet, VPN’s (Virtual Private Networks), LAN’s (Local Area Networks), etc.
every day. What is to stop hackers and thieves from tapping in to that sensitive
information and using it to their own gain? That would be the SSL (Secured
Socket Layer) for one.
In these days of information there are a great number of reasons web
designers and developers use secured pages. Here are some of the most common
reasons web developers use secured pages:
-
Protect user identities and passwords
-
Protect credit card transactions and other sensitive information during
online consumer purchases -
Allows users to safely view personal and business financial information
-
Secure the transmissions of other sensitive personal information like your
social security number -
Keep secret sensitive corporate information being passed between branches,
divisions, etc.
Granted, there are many more reasons you may come across a need for security
but the short list above gives you some of the highlights. Hopefully, you see
that without the ability for encryption many of the online resources we take for
granted today would not be possible.
back to
top
How Does it Work?
You’re going to love this. Alright, well, maybe not.
If I went into the complete explanation of the process I would have you bored
to tears in less than 5 minutes. So, in order to keep you from slamming your
head on your keyboard I’m going to give you the abbreviated version. Here it
goes.
First: A client (that’s the browser)
requests a SSL connection with the server
Second: The server sends a Certificate (Ill explain the certificate in a
second)
Third: The client validates the Certificate, creates a session key and encrypts
the Certificate with the key
Fourth: The server decrypts the session key and establishes the encrypted
connection
Thats not so bad, however, you have yet to send any real information. All you
have right now is an established connection. Now it gets interesting. The
Certificate that the server sent out is what makes this whole process work. A
Certificate is obtained from a Certificate Authority, which is sort of like a
notary public that verifies the Certificates authenticity, hence the name. The
Certificate contains the common name of the server, making it impossible to use
on other servers. It also uses keys, a public and private key, to create and
verify a secured connection.
I hope this satisfies your general curiosities.
back to
top
How Do I Set it
Up?
Sound kind of handy and cool so far?
Wondering how unbelievably difficult this will be?
Well, amazingly enough it really
isn’t all that tough to do. For the most part there are only two ways to set up
a SSL.
The first is to set up SSL on your
own server. Now, I realize that most of you are not running your own web server
so I will cover just the highlights. In order to set it up you would need a
server running IIS (Internet Information Services) like Microsoft’s Windows 2000 Server
and be familiar enough with servers and network configurations to set it up.
Next you would need a Certificate, like the one I mentioned above, which you can
get from a certificate authority like VeriSign or you can even create a
Certificate yourself. Once you have the pieces put together it’s really as
simple as creating a folder in your web where all of your secured pages are
stored and routing all references to your secured pages through your secured
server.
Or you could use the secured server
that your web host has already set up. Wow, doesn’t that sound a whole lot
easier.
Most web hosts already have a secured
server already set up and ready to use. These are referred to as Shared Secure
Servers or Shared SSL since the server takes care of security for several
different webs. If your site is hosted by a provider, odds are you have this
service available to you at no additional charge. If your site is being hosted
for free (like on a personal web server with your ISP) you will probably not
have a secured server available to you and if you do you can probably expect to
pay for it. As a general rule, the free hosting services don’t come with the
bells and whistles like Shared SSL.
Simply contact your provider and see
if you have the service available to you. If you do, you or they will create a
special folder within your web for your secured pages. They should also provide
with a URL reference that routes through their secured server to your secured
folder. The URL should look something like this:
https://www.WebHostSecure.com/YourWeb/YourFolder/YourPage.html
Be sure that the URL reads https.
That "s" on the end is what designates the link as secured. Believe it or not,
that’s all there is to it. Most of the work is already done for you. Now you
have the ability to keep you pages, forms and whatever else safe from spying
eyes. Ahhhh, do you feel the power?
back to
top
So, What’s
the Downside?
Why wouldn’t you just want to secure
every page that you create as a matter of practice? Well, there’s one simple and
very good reason. Speed.
When you use the encryption
capabilities every bit of information sent back and forth is encrypted and
decrypted. That includes graphics, photographs, text, data, etc. and it can
create quite a drag on both upload and download time. If you
encrypted everything, your visitors would probably become very impatient with
your site and surf off somewhere else. A good rule of thumb is to only use
encryption when absolutely necessary and consolidate your encryption needs in to
as few pages as possible.
Well, I hope this gives you some good
working knowledge of SSL and encryption. For most of you it will be as simple as
emailing your host and having SSL set up for your web. Good luck and happy
coding!
back to
top