HTTPS anywhere and why it is needed
by Rich Buehrle
HTTPS anywhere and why it is needed
HTTPS is quickly becoming one of the most sought after security options for users who process transactions over the internet as well as being used in the transmission of sensitive material such as tax information that includes personal information. HTTPS stands for Hypertext Transfer Protocol Secure and follows many of the same rules that HTTP does but adds encryption and secure identification to the mix. The idea behind HTTPS is to create a secure line of communication in an insecure network setting. This creates great protection from attacks such as man in the middle or eavesdropping.
The whole HTTPS idea is based on the idea that the site you are visiting has a certificate stating that they are a secure site and transmissions via that site are encrypted and secure. The certificate validates only if all of the following specifications are met.
1. The user trusts that their browser software correctly implements HTTPS with correctly pre-installed certificate authorities.
2. The user trusts the certificate authority to vouch only for legitimate websites without misleading names.
3. The website provides a valid certificate, which means it was signed by a trusted authority.
4. The certificate correctly identifies the website
5. Either the intervening hops on the Internet are trustworthy, or the user trusts the protocol's encryption layer (TLS or SSL) is unbreakable by an eavesdropper.
If all of these are met then you have a successful connection that is secure and encrypts the information the user is submitting. This encryption happens at a lower sub layer of the OSI model allowing the information to be secured and encrypted before it is sent and then decrypting the message after it has been received. HTTPS can be added to any website and is recommended for any site that is passing sensitive information or processing online transactions. Below are instructions on how to secure a website or folder with HTTPS.
Configure Folder or Web Site to Use SSL/HTTPS
This procedure assumes that your site has already has a certificate assigned to it.
- Log on to the Web server computer as an administrator.
- Click Start, point to Settings, and then click Control Panel.
- Double-click Administrative Tools, and then double click Internet Services Manager.
- Select the Web site from the list of different served sites in the left pane.
- Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
- Click the Directory Security tab.
- Click Edit.
- Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
- Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
- To allow users to connect without supplying their own certificate, click Ignore client certificates. Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
To configure client mapping, click Enable client certificate mapping, and then clickEdit to map client certificates to users.
If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user (a list of certificates is matched against a specific user according to specific rules. The first valid match becomes the mapping).
- Click OK.
Microsoft, M. (2006, November 21). How to set up an https service in iis. Retrieved from http://support.microsoft.com/kb/324069
about the author
More about Rich Buehrle:
Rich is a founding member of Security Mecca. Rich is an E Biz D major with focus on Business Analysis and graduates in December 2011.
questions or comments?
If you have any questions or comments about this article, feel free to contact us!