Using SSL/HTTPS

Short for Secure Sockets Layer, SSL provides a level of security and privacy for those wishing to conduct secure transactions over the Internet. Originally developed by Netscape Communications and RSA Data Security, Inc., the SSL protocol protects HTTP transmissions over the Internet by adding a layer of encryption. This ensures that your transactions are not subject to "sniffing" by a third party.

SSL provides visitors to your web site with the confidence to communicate securely via an encrypted session. For companies wishing to conduct e-commerce, such as receiving credit card numbers or other sensitive information, SSL is extremely important.

While SSL handles the encryption part of a secure HTTP transaction, a Digital Certificate is necessary to provide server authentication. Several companies, called certificate authorities, including Verisign, are in the business of selling digital certificates. Prices and the quality of service vary between certificate authorities, so you should shop around. Once you have purchased and installed a digital certificate on your Web server, browsers will be able to communicate securely with it via SSL.

Internet users will make an SSL-secured connection to your server using HTTPS. HTTPS is a unique protocol that combines SSL and HTTP. Most browsers support HTTPS, which gives the user the ability to communicate securely across the Internet. Hyperlinks and forms that point to SSL-protected documents must start with https://. A user can also open a URL by specifying https:// to request SSL-protected documents.

Most Web servers can run in both secure and non-secure mode at the same time. As a result you can choose to provide information to all users using no security and specific information only to browsers who make secure requests. This is how a retail company on the Internet can allow users to look through the merchandise without security, but then fill out order forms and send their credit card numbers using security.

Typically, browsers let the user know that they have switched to SSL, by displaying a special icon, such as a lock in the status bar. Users can also look for the https:// URL prefix to determine whether they are connected via SSL.

In order to use SSL/HTTPS on your server you must first install an SSL certificate. SSL certificates are typically purchased from certification authorities, such as Verisign, Thawte, BBN Certificate Services and CommerceNet.

Ensuring that SSL is Being Used

Most servers allow regular HTTP as well as HTTPS to be used for the same resources at the same time. A Microsoft IIS server with a digital certificate installed, for example, will serve a page over HTTPS if the requesting URL was prefixed with "https://", but would use simple HTTP if the URL was prefixed with "http://", or if it omitted the protocol designator altogether. In most cases servers can be configured to disallow HTTP requests for certain resources, but sometimes this control may not be adequate.

Consider a shopping cart site, which allows users to browse an on-line catalog and purchase goods by credit card. To avoid the overhead of SSL, the creators of such a site may opt to use HTTP for scripts that provide the browsing capability, and HTTPS for the form that collects credit card information. Some servers, including Microsoft IIS, do not allow administrators to force SSL on a per-file basis, but instead only provide directory level control. In this case, the programmer would have to verify the use of SSL in the script itself.

A similar situation, requiring the verification of the use of SSL in the script, is the case where the Web server does not support script maps, so the CGI program needs to be called directly. In this case, there is no way to configure the Web server to allow HTTP for certain scripts, but not for others.

Another reason to verify the use of SSL in the script as opposed to forcing it at the Web server level, is because it allows the program to offer a meaningful error message and supply a link with the correct URL.

Following is some code that can be used to return an error message if the user did not use SSL:

<%
IF Request.ServerVariables("HTTPS") <> "on"
    %>

    <h2>Error!</h2>
    <p>This resource requires the use of SSL.
    Click on the link below to continue your session.</p>
    <a href="https://www.foxweb.com/checkout.fwx">Continue</a>
    <%
    Response.End
ENDIF
* The following code will run only if this is an SSL request
%>

<head><title>Payment Information</title></head>
<body><h2>Please enter your credit card information</h2>
.
. (more content)
.
</body>

The above example uses the HTTPS server variable to determine whether SSL was used. Some servers do not support this variable. In that case, you can use the variable SERVER_PORT to determine whether port 443 was used (HTTPS utilizes port 443 by default).


© Aegis Group