Ssl Https Server
- 1. Secure Socket Layer (SSL) and Apache Tomcat (Web/Application Server) 2008/July/17 Multimedia Division
- 2. Agenda What is SSL Secure Socket Layer (SSL) The SSL Protocol Why SSL What SSL Provides SSL and Authentication SSL and Web-tier Security What is a Certificate? What is Server Certificate? Why Server Certificate is Needed? Verify/Demo SSL Support on Test server Commercial for Certificate SSL Drawbacks What is next References
- 3. What is SSL SSL stands for Secure Socket Layer. Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection
- 4. Secure Socket Layer (SSL) Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. Responsible for the emergence of e-commerce, other security sensitive services on the web
- 5. The SSL Protocol The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP
- 6. Why SSL SSL addresses the following important security considerations. Authentication : During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. Confidentiality : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential. Integrity : When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
- 7. What SSL Provides Confidentiality (Privacy) Data integrity (Tamper-proofing) Server authentication (Proving a server is what it claims it is) Optional client authentication - Would be required in B2B/B2C (or Web services environment in which program talks to program
- 8. SSL and Authentication Server Authentication : Server needs to provide its own certificate to a client in order to authenticate itself to the client. A Web server typically has a CA-signed certificate and it provides to its clients. Client Authentication : Client needs to provide its own certificate to a server in order to authenticate itself to the server. Mutual Authentication
- 9. SSL and Web-tier Security Encrypted password move from the browser to the web server Encrypted data move between the browser and the web server Server authentication – Done before encrypted data transfer occurs Client Authentication – Not used in most cases
- 10. What is a Certificate? A certificate is a digitally-signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. So in a sense, it is like digital version of your ID card such as driver's license.
- 11. What is a Certificate (Ctd..) A certificate is cryptographically signed and is practically impossible for anyone else to forge A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign
- 12. What is a Certificate (Ctd..) A certificate can be self-signed when authentication over the internet is not really a concern for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, that is only data privacy and integrity are important
- 13. What is Server Certificate? A server certificate is a container that contains server's public key and other miscellaneous information Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections. This provides some kind of reasonable assurance that its owner is who you think it is
- 14. Why Server Certificate is Needed? Server Certificate enables Server Authentication Server sends server certificate as part of SSL key handshake HTTPS service of Tomcat would not work unless a server certificate is installed Verifies the server's identity to the client, before receiving any sensitive information
- 19. Commercial for Certificate Budget Required (Tentative figure by Vendors) http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html $ 1499/Year Verisign 1 Remarks Budget Required Name of the Vendors Sr. No.
- 20. SSL Drawbacks The problems associated with SSL are It prevents caching. Using SSL imposes greater overheads on the server and the client. Some firewalls and/or web proxies may not allow SSL traffic. There is a financial cost associated with gaining a Certificate for the server/subject device
- 21. What is next Sign a CR Send to YMC as a sample Make Skill Matrix Make Training Schedule