9. Confidentiality with SSL and Certificates
A certificate allows
you to demonstrate that your site and your organization information are
registered and verified with a certificate authority. This generally
encourages customer confidence, although it doesn't guarantee the
company or organization acts responsibly or fairly. A certificate is a
little like a driver's license—it doesn't prove you can drive, but it
demonstrates that a third party (in this case, a department of the
government) is willing to attest to your identity and your
qualifications. Your web server also requires a certificate in order to
use SSL, which automatically encrypts all the information sent between
the client and server.
To add a certificate to your
site, you first need to purchase one from a certificate authority.
These are some well-known certificate authorities:
9.1. Creating a Certificate Request
The first step in the
process of getting a certificate is to e-mail a certificate request for
your web server. IIS Manager allows you to create a certificate request
automatically. To do so, choose your computer in the IIS Manager tree,
and double-click the Server Certificates icon. Then, click Create
Certificate Request in the Actions pane to start the Request
Certificate Wizard (shown in Figure 16).
The Request
Certificate Wizard collects some basic information, such as your
address, the strength of encryption key you would like (the higher the
bit length, the stronger the key), and so on. At the end of the
process, you'll create a key request. You can save the generated file
as a text file, but you must ultimately e-mail it to a certificate
authority. The certificate authority will return a certificate, which
you can install by clicking Complete Certificate Request in the Actions
pane.
If you don't want to go to the
trouble of buying a certificate, you can create a test certificate to
use with your application. However, test certificates aren't suitable
for real, live websites, because they lead to lots of browser security
warnings (which is sure to scare away your users). To create a test
certificate of your own, check out the instructions at http://tinyurl.com/2hndyq.
|
|
9.2. Implementing SSL
SSL technology encrypts
communication between a client and a website. Although it slows
performance, it's often used when private or sensitive information
needs to be transmitted between an authenticated user and a web
application. Without SSL, any information that's sent over the
Internet, including passwords, credit card numbers, and employee lists,
is easily viewable to an eavesdropper with the right network equipment.
Even with the best
encryption, you have another problem to wrestle with—just how can a
client be sure a web server is who it claims to be? For example,
consider a clever attacker who uses some sort of IP spoofing to
masquerade as Amazon.com. Even if you use SSL to transfer your credit
card information, the malicious web server on the other end will still
be able to decrypt all your information seamlessly. To prevent this
type of deception, SSL uses certificates. The certificate establishes
the identity, and SSL protects the communication. If a malicious user
abuses a certificate, the certificate authority can revoke it.
To use SSL, you need to
install a valid certificate. You can then set IIS directory settings
specifying that individual folders require an SSL connection. To do so,
select the website in IIS Manager, double-click the SSL Settings icon
(in the IIS group), and put a check mark in the Require SSL check box.
To access a page over SSL, the client simply types the URL with a preceding https instead of http
at the beginning of the request. In your ASP.NET code, you can check
whether a user is connecting over a secure connection using code like
this:
Protected Sub Page_Load(ByVal sender As Object, _
ByVal e As System.EventArgs) Handles Me.Load
If Request.IsSecureConnection Then
lblStatus.Text = "This page is running under SSL."
Else
lblStatus.Text = "This page isn't secure.<br />"
lblStatus.Text &= "Please request it with the "
lblStatus.Text &= "prefix https:// instead of http://"
End If
End Sub
With SSL, the client and
web server start a secure session before they communicate any
information. This secure session uses a randomly generated encryption
key.
Here's how the process works:
The client requests an SSL connection.
The server signs its digital certificate and sends it to the client.
The
client verifies the certificate was issued by a certificate authority
it trusts, matches the web server it wants to communicate with, and has
not expired or been revoked. If the certificate is valid, the client
continues to the next step.
The client tells the server what encryption key sizes it supports.
The
server chooses the strongest key length that is supported by both the
client and server. It then informs the client what size this is.
The
client generates a session key (a random string of bytes). It encrypts
this session key using the server's public key (which was provided
through the server's digital certificate). It then sends this encrypted
package to the server.
The
server decrypts the session key using its private key. Both the client
and server now have the same random session key, which they can use to
encrypt communication for the duration of the session.