The first step is to request and obtain a Web server certificate from a recognized third-party certificate authority...
(CA), such as VeriSign or Thawte. You can do so by sending a Certificate Signing Request, or CSR. The entity noted in the certificate has to exactly match the Web server that will handle SSL communications. So if the domain name of this server is secure.yourdomain.com, use that name and not, for example, www.yourdomain.com. Once the CA has completed your request for a server certificate, you will receive it by email or a site download. After you have installed the certificate onto the server, you need to enforce Secure SSL channel communications wherever sensitive or personal data is transmitted across the Internet.
The default port for secure communications, port 443, must be enabled, and your firewall must be configured to allow traffic on this port. Next, if using Microsoft Internet Information Services (IIS), open the Secure Communications section of the Web site's "Directory Security" tab. Select "Require Secure Channel (SSL)" and specify 128-bit encryption, since 40-bit or 56-bit strength is no longer deemed sufficiently secure. Now when your clients try to connect to your Web server by using the standard http:// protocol, they will receive an HTTP 403.4 error message saying that the page must be viewed over a secure channel and requires the use of HTTPS in the address.
Don't make the mistake of displaying a secure page that has non-secured content, such as images pulled from a different location; this will create a warning message on the user's PC. Also if you have a login form, make sure this is secured as well, along with your Web form pages. If you follow the instructions above, any Web form data that your clients send will be encrypted as it travels between their PCs and your server. It is up to you, however, to then ensure that any data is securely handled once it has been received. Passwords and credit card details, for example, should be encrypted before being stored.
Finally, although you may have taken reasonable steps to secure sensitive data in transit and at rest, your clients' PCs may be infected with spyware or keyloggers. Such malware can capture data before it is encrypted and protected by the SSL connection. It is always good practice to have a link on your site where users can find out about protecting their own PCs and data.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.