Government Computer News
Secure that line!
Sidebar | How does SSL work, anyway?
Since its introduction about a decade ago, the Secure Sockets Layer protocol has changed the way we do business via the Internet — or, more accurately, it has enabled Internet business to be done at all. Nearly every credit card purchase or secure log-in uses SSL to keep transactions safe from eavesdropping, tampering and forgery.
Digg
De.licio.us
Slashdot
Technorati
Although the details can vary depending on the version, SSL uses four basic steps to create a secure connection via the Web.
First, the client shakes hands with the server and requests that the server send its identification. The server returns the requested identification in the form of a digital certificate that has the server’s public encryption key. The client then makes a session key and encrypts a random number using this key, which only the server’s private key can decrypt. Finally, the server sends the random number back to ultimately prove its identity, and the secured connection begins.
The crucial element to making this process work is the digital certificate sent as the server’s identification to the client. This certificate contains the server name — servername.domain.com is the typical format — the trusted certificate authority, and the server public encryption key. If the server name does not match the URL you are browsing, the browser will warn you, allowing you to back out of a potentially insecure connection or continue at your own risk.
You can get these certificates only from a trusted certificate authority. It is the authority’s responsibility to verify the identity of each certificate applicant in addition to their authority to get a certificate for a certain domain. Through databases such as the Data Universal Numbering System, maintained by Dun and Bradstreet, the authority can verify the existence and location of the applicant’s company. The authority also will determine the ownership of the domain in question and ensure that it matches the company information. The certifying authority must take every step to ensure that the certificates they distribute are to the people they claim to be.
The latest version, SSL 3.0, is officially superseded by Transport Layer Security Version 1.0, but these two protocols are similar and largely synonymous with each other. In fact, VPN appliance manufacturers and certificate authorities use SSL to refer to either protocol.
For our testing in this roundup, we became verified users of and used certificates provided by Entrust (www.entrust.com).
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [valor]](/images/1105logo_website.gif "Government Computer News [valor]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
