The first step is to request and obtain a Web server certificate from a recognized third-party certificate authority...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
(CA), such as VeriSign or Thawte. You can do so by sending a Certificate Signing Request, or CSR. The entity noted in the certificate has to exactly match the Web server that will handle SSL communications. So if the domain name of this server is secure.yourdomain.com, use that name and not, for example, www.yourdomain.com. Once the CA has completed your request for a server certificate, you will receive it by email or a site download. After you have installed the certificate onto the server, you need to enforce Secure SSL channel communications wherever sensitive or personal data is transmitted across the Internet.
The default port for secure communications, port 443, must be enabled, and your firewall must be configured to allow traffic on this port. Next, if using Microsoft Internet Information Services (IIS), open the Secure Communications section of the Web site's "Directory Security" tab. Select "Require Secure Channel (SSL)" and specify 128-bit encryption, since 40-bit or 56-bit strength is no longer deemed sufficiently secure. Now when your clients try to connect to your Web server by using the standard http:// protocol, they will receive an HTTP 403.4 error message saying that the page must be viewed over a secure channel and requires the use of HTTPS in the address.
Don't make the mistake of displaying a secure page that has non-secured content, such as images pulled from a different location; this will create a warning message on the user's PC. Also if you have a login form, make sure this is secured as well, along with your Web form pages. If you follow the instructions above, any Web form data that your clients send will be encrypted as it travels between their PCs and your server. It is up to you, however, to then ensure that any data is securely handled once it has been received. Passwords and credit card details, for example, should be encrypted before being stored.
Finally, although you may have taken reasonable steps to secure sensitive data in transit and at rest, your clients' PCs may be infected with spyware or keyloggers. Such malware can capture data before it is encrypted and protected by the SSL connection. It is always good practice to have a link on your site where users can find out about protecting their own PCs and data.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.