How to Secure a Web Site
Security is a very important aspect for any
developer of ecommerce web sites. To secure a web site, we must make sure
that private data that's sent between the client and server can't be deciphered.
To accomplish that, we use an Internet Protocol called SSL (Secure Socket
Layer). Its an important protocol that lets you transmit data over the
internet using data encryption.
How Secure Sockets Layer (SSL) connections Work:
-
SSL is the
protocol used by the world wide web that allows clients and servers to
communicate over a secure connection.
-
With SSL, the browser
encrypts all data that's sent to the server and decrypts all data that's
received from the server. Conversely, the server encrypts all data that's sent
to the browser and decrypts all data that's received from the
browser.
-
SSL is able to
determine if data has been tampered with during transmit and verify that a
server or a client is who claims to be.
To to determine if
you're transmitting data over a secure connection, you can read the URL in the
browser's address bar. If it starts with HTTPS rather than HTTP, then you're
transmitting data over a secure connection as shown in the folowing diagram:
Note
-
To test an
application that uses SSL, you must run the application under the control of
IIS.
-
With some browsers, a
lock icon is displayed when a secure connection is being used.
How digital secure
certificates work
-
To use SSL to
transmit data, the client and the server use Digital secure certificates as
shown in below diagram.
-
Digital secure
Certificates are the electronic counterparts to driver licenses, passports
and membership cards. You can present a Digital Certificate electronically to
prove your identity or your right to access information or services online.
-
A Digital Certificate
is issued by a Certification Authority (CA) and signed with the CA's private
key.
-
Digital Secure
Certificates serve two purposes. First, they establish the identity of the
server or clients. Second,they provide the information needed to encrypt data
before it's transmitted. By default, browsers are configured to accept
certificates that come from trusted sources. If a browser doesn't recognize a
certificate as coming from a trusted source, however, it informs the user and
lets the user view the certificate. Then, the user can determine whether
the certificate should be considered valid. If the user chooses to accept the
certificate, the secure connection is established. The certificate dialog box
for a digital secure certificate is as shown in the following figure:
How to determine
if a Digital Secure Certificate is installed on your server
If IIS is running on
your local machine, chances are that certificate hasn't been installed. But if
IIS is running on a server on a network, you can use the procedure as shown in
above figure to determine if a certificate has been installed and to view the
certificate.
How to get a
Digital Secure Connection
If you want to
develop an ASP .NET application that uses SSL to secure client connections, you
must first obtain a digital secure certificate from a trusted source such as:
http://www.verisign.com/
http://www.geotrust.com/
http://www.entrust.com/
http://www.thawte.com/
These certification
authorities, or CAs verify that the person or company requesting the
certificate is a valid person or company by checking with a registration
authority, or RA. To obtain a digital secure certificate, you'll need to provide
a registration authority with information about yourself or your company. Once
the registration authority approves the request, the certificate authority can
issue the digital secure certificate.
Resource:
Here are some related resources: