The first step is to request and obtain a Web server certificate from a recognized third-party certificate authority...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
(CA), such as VeriSign or Thawte. You can do so by sending a Certificate Signing Request, or CSR. The entity noted in the certificate has to exactly match the Web server that will handle SSL communications. So if the domain name of this server is secure.yourdomain.com, use that name and not, for example, www.yourdomain.com. Once the CA has completed your request for a server certificate, you will receive it by email or a site download. After you have installed the certificate onto the server, you need to enforce Secure SSL channel communications wherever sensitive or personal data is transmitted across the Internet.
The default port for secure communications, port 443, must be enabled, and your firewall must be configured to allow traffic on this port. Next, if using Microsoft Internet Information Services (IIS), open the Secure Communications section of the Web site's "Directory Security" tab. Select "Require Secure Channel (SSL)" and specify 128-bit encryption, since 40-bit or 56-bit strength is no longer deemed sufficiently secure. Now when your clients try to connect to your Web server by using the standard http:// protocol, they will receive an HTTP 403.4 error message saying that the page must be viewed over a secure channel and requires the use of HTTPS in the address.
Don't make the mistake of displaying a secure page that has non-secured content, such as images pulled from a different location; this will create a warning message on the user's PC. Also if you have a login form, make sure this is secured as well, along with your Web form pages. If you follow the instructions above, any Web form data that your clients send will be encrypted as it travels between their PCs and your server. It is up to you, however, to then ensure that any data is securely handled once it has been received. Passwords and credit card details, for example, should be encrypted before being stored.
Finally, although you may have taken reasonable steps to secure sensitive data in transit and at rest, your clients' PCs may be infected with spyware or keyloggers. Such malware can capture data before it is encrypted and protected by the SSL connection. It is always good practice to have a link on your site where users can find out about protecting their own PCs and data.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.