Transport Layer Security

From DreamHost

Contents 1 SSL / TLS 1.1 Background 2 Creating an SSL Website on DreamHost 2.1 Why? 2.2 Why not? 2.3 How to do it 2.4 Problem solving 2.5 Transport selection 2.6 Automatic Redirection from HTTP to HTTPS 2.7 Security is deeper than the HTTPS protocol 3 Certification Authorities 3.1 Introduction 3.2 Extended Validation certificates 3.3 Certification Authorities 4 External Link

SSL / TLS

Background

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.

Creating an SSL Website on DreamHost

Why?

The normal HTTP protocol transmits information across the internet in the clear. Anyone who has access to any of the networks between the client browser and your DH server can easily peek at the data and see everything. To guard against this, use the SSL/TLS protocol instead. When using the secure protocol, your web site address will start with https:// instead of http://.

Why not?

At DreamHost, the encryption and decryption of the data is done in software, not hardware. It is slow, so you should only encrypt the parts of your web site that really need it. For example, pages that collect or show credit card numbers or other very personal information. The best way to guard important information is to not have it. So do not collect secret information unless you must.

How to do it

See the Wiki article on Secure Hosting for more information and detailed instructions.

Problem solving

• If your secure site doesn't show any data, make sure that it works properly using the regular protocol: browse to http://company.com and you should see your web site in its full glory. (But without the security indicator from your browser.)
• If you get a security pop-up message about your secure site, you may not have the certificate installed correctly or the certificate may be for a different site. Remember that a certificate for company.com will usually not work for www.company.com. Ask your certificate authority and DH for help.
• If you get a pop-up that some elements on the page are secure and others are not secure: the problem is that a page on your secure site https://company.com includes items on the page (such as images, CSS files or JavaScript files) from non-secure websites. You need to make sure that everything on the page is from a secure site. Your images need to be on your secure site (or someone else's). Image URLs should either start with https:// or start with a relative URL (eg foo.gif, images/woof.jpg, etc).

Transport selection

Your pages won't be encrypted if your web site visitor surfed to company.com since the default transport for browsers is http, not https. To solve this, you have multiple options: Easiest is to not advertise the secure version of company.com directly. Instead, people should visit www.company.com, then use links to visit specific pages on the secure site as needed. Your links should send people to "https://company.com/whatever" don't use a link of "http://company.com/whatever"

You can write software to re-direct people from http://company.com/whatever to https://company.com/whatever (see below)

Or both

Automatic Redirection from HTTP to HTTPS

Add a .htaccess file to the root of your web directory with the following lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

For more information on .htaccess files see .htaccess.

Security is deeper than the HTTPS protocol

Remember that the HTTPS protocol is only a very small part of creating a secure web site. Your web site implementation, especially database web sites, must be securely written and tested.

Certification Authorities

Introduction

Any of the following vendors can be used. Differing amounts of warranties make little or no difference to web surfers, they're just looking for the little lock symbol to light up on their browsers.

Extended Validation certificates

The marketing pitch: Extended Validation SSL Certificates deliver a new level of trust to your website visitors. Starting with Microsoft® Internet Explorer 7, the address bar will turn green confirming your site identity as verified by a Certification Authority (CA) according to the most rigorous industry guidelines established by the CA/Browser Forum.

The reality: They're more expensive and take longer to get. Not yet clear how much of a difference, if any, they'll make to your web surfers. But they do look impressive when using IE 7.

Certification Authorities

• Comodo --Relatively inexpensive, their Instant SSL and higher certs work fine
• Geotrust -- Expensive. (previously a DreamHost partner)
• GoDaddy^ -- Very cheap, and their least expensive option is confirmed to work with Dreamhost.
• Startcom^ -- Free certificates, however these certificates currently cause your site to display warning messages to visitors using Microsoft Internet Explorer.
• Thawte -- Expensive
• Verisign -- Very Expensive. Famous name.

^ Note that with Startcom and Godaddy, the SSL.key file you'll receive will be password-protected. To make it work with DreamHost, you'll need to decrypt it. The following command, either in your DreamHost shell, or any local Unix box you have access to, will do it.

openssl rsa -in ssl.key -out ssl.decrypted.key

Paste the decrypted key into the DreamHost panel, and you have a free, working SSL key!

External Link

Transport Layer Security - Wikipedia Reference