Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers © 2004 GeoTrust, Inc. All rights reserved. What We’ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an SSL Certificate © 2004 GeoTrust, Inc. All rights reserved. Web Security Enterprise Security Identity Verification Services Signing Services Understanding SSL © 2004 GeoTrust, Inc. All rights reserved. Secure Sockets Layer (SSL) Protocol that has become the industry standard for securing data transmissions on the Internet Provides a secure channel in two ways: Authenticates the Web server to the client Encrypts all the data being sent 4 Key components to enable SSL Digital Certificate Public/Private Key Pair Session Key Certificate Authority (CA) SSL is established using the SSL handshake Server authentication and session key creation take place © 2004 GeoTrust, Inc. All rights reserved. Secure Sockets Layer (SSL) Largely invisible to application https URLs specifies HTTP over SSL Connects to port 443 instead of 80 Identical in all other respects to HTTP All https data is sent via SSL Even the requested URL is encrypted SSL interacts poorly with virtual hosts that have 1 IP for multiple domains SSL connection is established before any HTTP data is transmitted SSL handshake down without the guidance of the Host header Web server doesn’t know which certificate to present Must set up each domain with a unique IP address Does not need to be routable IP (called aliases) Web server uses the alias to determine which certificate to present © 2004 GeoTrust, Inc. All rights reserved. Digital Certificates Electronic passports that handle the passing of the keys to: Authenticate the Web server Encrypt/Decrypt the data passed Standard format for all digital certificates is X.509 V3 Helps define the fields contained in the certificate Main components of a certificate include: Web server’s public key Fully qualified domain name the certificate was issued to Name of the holder of the key CA’s digital signature Validity period © 2004 GeoTrust, Inc. All rights reserved. Digital Certificates (cont.) Key Components of an SSL certificate The domain the certificate was issued to Which certificate authority issued the certificate The validity period of the certificate © 2004 GeoTrust, Inc. All rights reserved. Digital Certificates (cont.) Key Components of an SSL certificate Digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real © 2004 GeoTrust, Inc. All rights reserved. Public/Private Keys Created when the Certificate Signing Request (CSR) is generated CSR is an unsigned certificate which is submitted to the CA In SSL they are used to authenticate the identity of the Web server and encrypt and decrypt the session key Private key is kept secret (and very secure) and stays on the Web server Public key is part of the digital certificate and is available to all Public key must be matched to the corresponding private key for a digital certificate to work © 2004 GeoTrust, Inc. All rights reserved. Session Key Created by the browser during the SSL handshake Sent to the server via an encrypted message using the server’s public key Used to encrypt and decrypt information exchanged during the SSL session Randomly generated and changes each time 128 bit is the standard length for the key (though some browsers have started to move towards 256-bit) © 2004 GeoTrust, Inc. All rights reserved. Certificate Authority Trusted organization that: Accepts SSL certificate applications from entities Authenticates those applications WebTrust compliant Follow steps and procedures outlined in CPS Issues certificates Maintains status information about the certificates Validity period, Certificate Revocation Lists, etc… Invest in the technologies and resources to support SSL certificates and assure their certificates are trusted by Web browsers © 2004 GeoTrust, Inc. All rights reserved. Web Security Enterprise Security Identity Verification Services Signing Services SSL Handshake 101 © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session SSL Provides: Server Authentication, Data Encryption and Message Integrity User has a standard browser Web Server Firewall Website has a X.509 Certificate Signed by a trusted 3rd party: © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall User enters website URL Browser sends URL to www © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall Server certificate is sent to browser © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall Serial Number: 6cb0dad0137a5fa79888f Validity: Nov.08,2004 Nov.08,2004 Subject / Name / Organization Locality = Internet Organization = GeoTrust, Inc. Organizational Unit = GeoTrust Class 2 CA - Individual Subscriber Public Key: Status: Valid ie86502hhd009dkias736ed55ewfgk 98dszbcvcqm85k309nviidywtoofk kr2834kl Signed By: GeoTrust, Inc.: kdiowurei495729hshsg0925h309afh we09721h481903207akndnxnzkjoaio eru10591328y5 Certificate Includes Server’s Public Key © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall The browser generates a symmetric key of specified strength This will be the “session key” 1010111101010101010110010 1010111101010101010110010 © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall The browser encrypts the “session key” with the webserver’s public key (found in the certificate) 1010111100000111010101010 1010111100000111010101010 1010100011101010100101111 1010100011101010100101111 © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall The browser sends the encrypted “session key” to the webserver 0101001010101011001101001 0101001010101011001101001 0010101010010110010101010 0010101010010110010101010 © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session Web Server Firewall 0101010101011101010101111 0101010101011101010101111 The webserver decrypts encrypted “session key” with its private key 1010011010101010001010101 1010011010101010001010101 © 2004 GeoTrust, Inc. All rights reserved. SSL - setting up the session The secret key has now been shared The encrypted session is now established Web Server Firewall 0010101011001010101110001 0010101011001010101110001 0001010101111010000111000 0001010101111010000111000 © 2004 GeoTrust, Inc. All rights reserved. How the SSL Handshake Works A browser requests a secure page (https://) The Web server sends its public key with its certificate The browser authenticates the server by checking the: 1. Is today's date within the validity period 2. Is the issuing CA a trusted CA 3. Does the issuing CA's public key validate the issuer's digital signature 4. Does the domain name in the server's certificate match the domain name of the server itself The browser then uses the server’s public key to encrypt a random session key and sends it to the server with the encrypted data on the Web page © 2004 GeoTrust, Inc. All rights reserved. How the SSL Handshake Works The web server decrypts the session key using its private key and uses the session key to decrypt the data from the Web page The web server sends back the requested Web page data encrypted with the session key The browser decrypts the Web page data using the session key and displays the information © 2004 GeoTrust, Inc. All rights reserved. SSL Enabled Browsers initiate SSL sessions when they connect to a Web server over https:// Gold lock icon located in the lower right hand corner contains the certificate details and lets Web site users know the site is secure When a browser connects to a site that uses SSL – the URL switches to https:// Lock symbol means site is secure and encryption is enabled. © 2004 GeoTrust, Inc. All rights reserved. Web Security Enterprise Security Identity Verification Services Signing Services Market Opportunity for SSL © 2004 GeoTrust, Inc. All rights reserved. SSL Market Data Over *60M active domains Approximately 850,000 active digital certificates About 1.4% of the 51m domains have an active digital certificate 25% annualized growth in number of active certificates over the last 12 months Expected growth over the next year is greater than 30% * Source: http://www.whois.sc/internet-statistics © 2004 GeoTrust, Inc. All rights reserved. Applications of SSL Secure browser to Web server communications when collecting financial and personal data eCommerce sites Banking applications User/Member login pages Sign-up pages VPN access Web access to email Sensitive business information (business partners, remote offices) Secure server to server communications to improve data and network security FTP sites Database and application servers Communication between email servers © 2004 GeoTrust, Inc. All rights reserved. Value of SSL Certificates Information on the Internet is vulnerable to many threats Spoofing/phishing Eavesdropping Data alteration SSL certificates safeguard against these threats by providing: Confidentiality to keep data secret from unintended listeners Authentication to identify with whom you are dealing End-to-end message integrity to ensure the information has not been altered during transmission © 2004 GeoTrust, Inc. All rights reserved. Online Fraud A Growing (and costly) Threat Source: www.antiphishing.org, April 2006 © 2004 GeoTrust, Inc. All rights reserved. Other SSL Market Influencers Significantly increased Web usage and market and consumer awareness of SSL Technological enhancements have made dedicated servers and SSL more affordable © 2004 GeoTrust, Inc. All rights reserved. Web Security Enterprise Security Identity Verification Services Signing Services Obtaining an SSL Certificate © 2004 GeoTrust, Inc. All rights reserved. Setting Up SSL 5 step process to get a certificate: 1. Company generates the CSR (public/private key pair and certificate) on the Web server 2. Company submits the CSR and other order information to CA through some type of online enrollment process 3. CA authenticates the Web server/and or Company and verifies that the requestor is authorized to order a certificate for that domain 4. CA signs the certificate (adding their trust to it for browser recognition) and issues the certificate to the requestor 5. Company installs the certificate on the Web server © 2004 GeoTrust, Inc. All rights reserved. Self-Signed Certificates Companies generate their own certificates by setting up their own certificate authority Extra efforts and resources needed to administer and manage certificates Large up front costs (additional hardware, software, etc..) Not automatically recognized by a user’s browser User asked if they want to accept the certificate and secure connection Not recommended for production © 2004 GeoTrust, Inc. All rights reserved. Self-Signed Certificates © 2004 GeoTrust, Inc. All rights reserved. Trusted Certification Authority Browser automatically recognizes the certificate and allows a secure connection High ubiquity: root already present in all popular Web browsers CA guarantees either the identity of the Web server or organization Long-term stability WebTrust compliant Practices and controls audited yearly for compliance WebTrust seal displayed on site © 2004 GeoTrust, Inc. All rights reserved. Dedicated SSL vs. Shared SSL One single fully qualified domain name per certificate • More credibility with the customer - Customer won’t experience a domain name change in middle of shopping experience (i.e. go from http://www.mydomain.com to https://sharedssl.com/mydomain or https://mydomain.sharedssl.com if the wildcard method is used) • Reduces Risk of low-customer confidence • Same user experience as phishing Consumers are more likely to purchase from a site that uses a dedicated SSL certificate Own the certificate and can transfer it with them Display site seal with information specific to your domain No extra hardware or software to install Low cost and easy to manage © 2004 GeoTrust, Inc. All rights reserved. Web Security Enterprise Security Identity Verification Services Signing Services Questions © 2004 GeoTrust, Inc. All rights reserved.
© Copyright 2026 Paperzz