Categories World Wide Web

Continued from Digital Certificates

Both Web servers and browsers use certificates. The browser presents client certificates to Web servers to authenticate users, a more secure mechanism than the traditional user/password methods, because it typically requires the client both to have a certificate and to enter the password protecting the private key when requested. Not only does this make impersonating other users more difficult, it can also limit clients to specific machines on which the certificates are installed.

Once Microsoft Internet Information Server (IIS) 4.0 authenticates a visitor using a certificate, the server can map the client certificate to a specific Windows NT user account using IIS's Certificate Mapping facility. IIS also allows script code in ASP to read the contents of the presented certificate and take specific actions. The MSDN article mentioned above describes this process in greater detail.

That takes care of authenticating the client, but what about the Web server? Two related issues--authenticating servers and enabling secure communications between browsers and servers--can be addressed by server certificates. Authenticating a server prevents malicious parties from impersonating--or spoofing--another site. And once a Web server has a certificate, it can be used with Secure Sockets Layer 3.0 (SSL) for secure communications. If you've ever used an HTTPS (the S stands for secure) connection to a Web server to transmit sensitive information such as credit card data, you've used SSL 3.0. Servers can also be configured to require an HTTPS connection (using HTTP results in the HTTP message "Error 403.4 Forbidden: SSL required") and, optionally, to require user certificates.

Web server security doesn't come for free, however. First, the cost of a commercial certificate can range from $400 on up depending on how you use it. Also, data encryption can be extremely processor intensive (the recent introduction of hardware-acceleration extensions for offloading processing can be particulary useful for SSL). Though it does not address the processing issue, CertSrv 1.0 can generate Web server certificates. The same MSDN article also describes in detail the process of configuring an IIS Web site to use a server certificate generated by CertSrv 1.0 for enabling SSL.

Next: Securing E-Mail

Published as PC Tech Feature in the 4/20/99 issue of PC Magazine.

Related Links
• Making E-Mail Secure -- PC Tech
• Internet Security Standards -- PC Tech