|
|
 |
General Secure Sockets Layer Information
Secure Sockets Layer Definition
"SSL" stands for Secure Sockets Layer. It is a security protocol that encrypts
your connections with a web server. SSL thwarts eavesdroppers who could "sniff" your internet
packets for sensitive information such as passwords and credit card numbers. Thus, SSL has made
on-line commerce viable for all web users.
SSL was designed by Netscape and was originally incorporated into the company's web server
and web browser software. Since then, SSL has been included in products from every major
developer of web software.
Netscape's Definition
Netscape Communications has designed and specified a protocol for providing data security
layered between application protocols (such as HTTP, Telnet, NNTP, or FTP) and TCP/IP. This security
protocol, called Secure Sockets Layer (SSL), provides data encryption, server authentication, message
integrity, and optional client authentication for a TCP/IP connection.
SSL will enable a web site visitor's browser to connect and transparently negotiate a secure communication
channel. Theoretically, once this connection has been made, information can be exchanged with no chance
of any unauthorized third party interpreting the data.
How SSL Works
Quoting from the technical specifications of Netscape Data Security:
SSL provides a security "handshake" that is used to initiate the TCP/IP connection. This handshake
results in the client and server agreeing on the level of security they will use, and fulfills any
authentication requirements for the connection. Thereafter, SSL's only role is to encrypt and decrypt
the bytestream of the application protocol being used (for example, HTTP, NNTP, or Telnet). This means
that all the information in both the HTTP request and the HTTP response are fully encrypted, including
the URL the client is requesting, any submitted form contents (including things like credit card
numbers), any HTTP access authorization information (usernames and passwords), and all the data
returned from the server to the client.
Netscape has created a server software package called the Netscape Directory for Secure E-Commerce. The
Netscape Directory for Secure E-Commerce implements server-side support for HTTP over SSL including support
for acquiring a server certificate and communicating securely with SSL-enabled browsers like Netscape
Navigator. There are also other, similar products from companies besides Netscape; these products include
Stronghold, Zeus, and Apache SSL.
Even after the server software is installed and operating on a particular system, the site is still not
in secure mode. There remains one essential step necessary to insure that the server has the proper security
verification: the registration of that site's encrypted key pair, generated by an encryption authority
(such a VeriSign). Without having an installed verified encrypted key pair, the site is no more secure
than any other Web server.
Restrictions
The restriction for utilizing SSL or a SSL-enabled product is a propriety one (i.e. it requires specific
browser software to fully integrate all of the encryption schemes necessary to maintain security).
Security Enabled Browsers
This is a partial listing of web browsers that can handle SSL:
- Netscape Navigator (UNIX/Mac version 1.12 and later or Windows version 1.22 and later)
- IBM Internet Connection Secure WebExplorer (version 1.1) for OS/2
- Delrina Cyberjack Web (version 7.00)
- Prodigy Web Browser (version 1.4b)
- InternetMCI (version 1.0)
- Microsoft's Internet Explorer
- Chameleon
- NCSA Mosaic
- Hot Java
|
|
|
