How Secure Web (SSL) Works

From XMission Wiki
Revision as of 22:48, 17 March 2008 by Mfrazier (talk | contribs)
Jump to: navigation, search

Overview

Most web sites will use SSL encryption for collecting personal or confidential information. You'll most often see the use of SSL encryption when purchasing something online or viewing private statistics or documents. You'll notice that the URL (or web address) will start with https:// instead of http://. Your browser will recognize this is secure. The process is usually very smooth on the client's side. This may be an option that you're looking into for your web site hosted by XMission.

In more detail, SSL, Secure Sockets Layer, is the leading security protocol on the Internet. When an SSL session is started, the browser sends its public key to the server so that the server can securely send a secret key to the browser. The browser and server exchange data via secret key encryption during that session.

An SSL certificate is a unique digital ID that can be used to verify the identity of a person, web site, or JavaScript/Java Applet. The certificate always includes a public key, the name of the entity it identifies, an expiration date, the name of the certificate authority (CA) that issued the certificate, the digital signature of the CA, and a serial number. These certificates use public key cryptography to sign and authenticate signatures and are protected by public and private key pairs linked by cryptographic algorithms. These keys have the ability to encrypt and decrypt information.


Your Options

If you'd like to use SSL encryption for your web site/domain hosted on XMission, you have a few options.

The first, and easiest, would be to use XMission's certificate. To do this, change the URL's of the pages you wish to secure to https://www.xmission.com/~username/securepage.html where you replace user name with your XMission user name and securepage.html with the page you wish to secure. This could, however, be a problem for you if you have your own domain name. Reason being, you must use the XMission domain in the URL instead of www.yourdomain.com. For more details about using this method, please refer to the SSL Tutorial.

If you have your own domain and you do not wish to use the XMission domain in the pages you wish to secure, you may get a certificate signed by XMission. A certificate signed by XMission is free of charge to any XMission customer. Once again, however, there is a problem with this method. Your visitors will be prompted with "Unknown Authority" (or something similar, depending on the browser used) when they first visit the secured pages. This has the possibility of scaring off potential clients or customers that are easily spooked by "hackers" or viruses. A certificate signed by XMission, however, is just as secure as a certificate signed by a public CA. You can request a certificate signed by XMission by filling out the request form.

The last means of using SSL with XMission would be to purchase a signed certificate and key from Verisign or another public CA. When this is done, you will need to upload the signed certificate (public key) and the RSA key (private key) in PEM format. To make this process more secure, you may request that XMission generate the RSA key to be kept on XMission and send you the unsigned certificate. You can then have the certificate signed and returned to XMission with less threat of the RSA key (which will won't leave XMission's hands) to be seen by another party.


To request an SSL Certificate, please send an email to ssl@xmission.com with the following information:

  • Do you want a certificate signed by XMission, or signed by another CA?
  • Your XMission account name.
  • Name of organization.
  • Which department of this organization is this for?
  • Website to be certified (i.e. www.domain.com)
  • Contact email for website (i.e. webmaster@domain.com)
  • City
  • State
  • Country
  • SSL Certificate notice email address? (this does not have to be the contact address above)


Public CA's

Here is a small list of public CA's you can purchase certificates from (in alphabetical order).