Features

Web server certificates and security on the Internet

Rob Chevalier, IST–CCS

The primary mechanism used today for securing data exchanged between a website and its customers over an open network is through the use of web server certificates.

A web server certificate is used to encrypt the communication between a client and a server (e.g., a customer's browser and a retailer's web server) or any two servers on a network. Simply stated, a web server certificate is a digital document that has unique codes to verify the identity of the holder of the certificate (the website) to the person or server accessing the site.

When two parties on the Internet wish to "talk" securely (such as a customer sending his or her credit-card number to Amazon.com), a web server certificate is used to set up a secure session that first verifies the true identity of the party that requests data transfer (Amazon.com).

If the certificate is valid, the customer receives a message saying that it is safe to "talk" to the retailer, as it has been verified that they are indeed who they say they are. The customer can send any personal information to the retailer securely, without fear of any nefarious individuals intercepting the data.

If the certificate is invalid, a message will pop up stating the security problem. Transactions can still occur, but at the risk of identity fraud by a third party (e.g., it may be Robsbargainbooks.com trying to appear as Amazon.com).

Have you ever wondered how to tell whether a website is using a web server certificate? The pages of a website secured by a web server certificate are characterized as follows:

• The URL of the secure web pages changes from http:// to https://.
• A lock symbol appears in the lower right-hand status bar in Microsoft's Internet Explorer (opposite on Mac), and in the lower left-hand status bar of Netscape's Navigator (opposite on Mac).

To examine and verify the encryption information of the secured pages:

• In Internet Explorer — double-click on the lock in the lower right-hand status bar (lower left-hand status bar on Mac).
• In Netscape — click on the lock symbol above and select "View Certificate" button.

You can observe this by going to the CalNet Directory (https://directory.berkeley.edu/). Data transmitted to and from the directory is encrypted and secure.

Any campus website which exchanges sensitive information with customers should use a web server certificate. These certificates should be purchased from an authorized Certificate Authority.

For more information on web server certificates, the SSL Protocol, and cryptography in general, visit the following websites:

• Whatis?com's Secure Sockets Layer (http://whatis.techtarget.com/definition/0,289893,sid9_gci343029,00. html).
• Frederick J. Hirsch's Introducing SSL and Certificates using SSLeay (http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html).
• The Apache Software Foundation's SSL/TLS Strong Encryption: An Introduction (http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html).
• Netscape Communication Corporation's Introduction to SSL (http://developer.netscape.com/docs/manuals/security/sslin/contents. htm).
• Cryptography (http://world.std.com/~franl/crypto.html).
• RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1 (http://www.rsasecurity.com/rsalabs/faq/).

[ iNews | Issue Contents | Search BC&C | BC&C Main Menu | IST | UC Berkeley ]

Berkeley Computing & Communications, Volume 13, Number 1 (Winter 2003)
Copyright 2003, The Regents of the University of California