Transport Layer Security

From DreamHost
Revision as of 05:20, 18 December 2007 by Mousee (Talk | contribs)

Jump to: navigation, search

SSL / TLS

Background

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.

Creating an SSL Website on DreamHost

Why?

The normal HTTP protocol transmits information across the internet in the clear. Anyone who has access to any of the networks between the client browser and your DH server can easily peek at the data and see everything. To guard against this, use the SSL/TLS protocol instead. When using the secure protocol, your web site address will start with https:// instead of http://.

Why not?

At DreamHost, the encryption and decryption of the data is done in software, not hardware. It is slow, so you should only encrypt the parts of your web site that really need it. For example, pages that collect or show credit card numbers or other very personal information. The best way to guard important information is to not have it. So do not collect secret information unless you must.

How to do it

  1. Decide which website will be secure. You can secure your main website (eg company.com) or a sub-domain such as secure.company.com. Most SSL certificates are sold on a per-domain basis, so you'll want to decide on a secure sub-domain and stick with it.
  2. If you'll be using secure.company.com, create the new sub-domain using the DH Panel Section Domains / Manage Domains / Add new Domain / Sub-Domain. You will only be using one address, so don't make both secure.company.com and www.secure.company.com valid. Note: You'll need DH to fully host the new sub-domain, forwarding won't work.
  3. Get a fixed IP address. HTTPS requires a fixed IP address. After your sub-domain has been created, use the Add IP link underneath your sub-domain's name on the DH panel: Domains / Manage Domains
  4. Submit your certificate request to a certification authority. Use the link Edit in the column Secure Hosting on the DH Panel page Domains / Manage Domains You can use any certificate authority, a list is below.
  5. After you receive your certificate from your certification authority, install it using the same screen as the previous step
  6. You will also receive an "intermediate certificate". Upload this to your home directory by FTP, and then contact support to ask them to install this intermediate certificate.
  7. Test: test out your new secure site by using the address https://company.com. Use https://secure.company.com if you selected the sub domain option. You should see your domain's data and your browser's HTTPS indicator (a lock or similar) should light up. You should not get any pop-up messages about certificates, etc.

Problem solving

  • If your secure site doesn't show any data, make sure that it works properly using the regular protocol: browse to http://company.com and you should see your web site in its full glory. (But without the security indicator from your browser.)
  • If you get a security pop-up message about your secure site, you may not have the certificate installed correctly or the certificate may be for a different site. Remember that a certificate for company.com will usually not work for www.company.com. Ask your certificate authority and DH for help.
  • If you get a pop-up that some elements on the page are secure and others are not secure: the problem is that a page on your secure site https://company.com includes items on the page (such as images, CSS files or JavaScript files) from non-secure websites. You need to make sure that everything on the page is from a secure site. Your images need to be on your secure site (or someone else's). Image URLs should either start with https:// or start with a relative URL (eg foo.gif, images/woof.jpg, etc).

Transport selection

Your pages won't be encrypted if your web site visitor surfed to company.com since the default transport for browsers is http, not https. To solve this, you have multiple options: Easiest is to not advertise the secure version of company.com directly. Instead, people should visit www.company.com, then use links to visit specific pages on the secure site as needed. Your links should send people to "https://company.com/whatever" don't use a link of "http://company.com/whatever"

You can write software to re-direct people from http://company.com/whatever to https://company.com/whatever

Or both

Security is deeper than the HTTPS protocol

Remember that the HTTPS protocol is only a very small part of creating a secure web site. Your web site implementation, especially database web sites, must be securely written and tested.

Certification Authorities

Introduction

Any of the following vendors can be used. Differing amounts of warranties make little or no difference to web surfers, they're just looking for the little lock symbol to light up on their browsers.

Extended Validation certificates

The marketing pitch: Extended Validation SSL Certificates deliver a new level of trust to your website visitors. Starting with Microsoft® Internet Explorer 7, the address bar will turn green confirming your site identity as verified by a Certification Authority (CA) according to the most rigorous industry guidelines established by the CA/Browser Forum.

The reality: They're more expensive and take longer to get. Not yet clear how much of a difference, if any, they'll make to your web surfers. But they do look impressive when using IE 7.

Certification Authorities

  • Comodo --Relatively inexpensive, their Instant SSL and higher certs work fine
  • Geotrust -- Expensive, recommended by Dream Host
  • GoDaddy^ -- Very cheap, and their least expensive option is confirmed to work with Dreamhost.
  • Startcom^ -- Free certificates, however these certificates currently cause your site to display warning messages to visitors using Microsoft Internet Explorer.
  • Thawte -- Expensive
  • Verisign -- Very Expensive. Famous name.

^ Note that with Startcom and Godaddy, the SSL.key file you'll receive will be password-protected. To make it work with DreamHost, you'll need to decrypt it. The following command, either in your DreamHost shell, or any local Unix box you have access to, will do it.

openssl rsa -in ssl.key -out ssl.decrypted.key

Paste the decrypted key into the DreamHost panel, and you have a free, working SSL key!

External Links

Layer Security - Wikipedia Reference