The first step is to request and obtain a Web server certificate from a recognized third-party certificate authority...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
(CA), such as VeriSign or Thawte. You can do so by sending a Certificate Signing Request, or CSR. The entity noted in the certificate has to exactly match the Web server that will handle SSL communications. So if the domain name of this server is secure.yourdomain.com, use that name and not, for example, www.yourdomain.com. Once the CA has completed your request for a server certificate, you will receive it by email or a site download. After you have installed the certificate onto the server, you need to enforce Secure SSL channel communications wherever sensitive or personal data is transmitted across the Internet.
The default port for secure communications, port 443, must be enabled, and your firewall must be configured to allow traffic on this port. Next, if using Microsoft Internet Information Services (IIS), open the Secure Communications section of the Web site's "Directory Security" tab. Select "Require Secure Channel (SSL)" and specify 128-bit encryption, since 40-bit or 56-bit strength is no longer deemed sufficiently secure. Now when your clients try to connect to your Web server by using the standard http:// protocol, they will receive an HTTP 403.4 error message saying that the page must be viewed over a secure channel and requires the use of HTTPS in the address.
Don't make the mistake of displaying a secure page that has non-secured content, such as images pulled from a different location; this will create a warning message on the user's PC. Also if you have a login form, make sure this is secured as well, along with your Web form pages. If you follow the instructions above, any Web form data that your clients send will be encrypted as it travels between their PCs and your server. It is up to you, however, to then ensure that any data is securely handled once it has been received. Passwords and credit card details, for example, should be encrypted before being stored.
Finally, although you may have taken reasonable steps to secure sensitive data in transit and at rest, your clients' PCs may be infected with spyware or keyloggers. Such malware can capture data before it is encrypted and protected by the SSL connection. It is always good practice to have a link on your site where users can find out about protecting their own PCs and data.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.