Manage Learn to apply best practices and optimize your operations.

How to ensure that an SSL connection protects sensitive Web data

In this expert Q&A, application security pro Michael Cobb explains how to secure sensitive Web site data that is sent across the Internet.

How do we know that Secure SSL is used and personal information is safe when our clients complete our Web site form?
There are several necessary steps to ensure that sensitive data sent across the Internet via a Web form remains private and confidential.

The first step is to request and obtain a Web server certificate from a recognized third-party certificate authority (CA), such as VeriSign or Thawte. You can do so by sending a Certificate Signing Request, or CSR. The entity noted in the certificate has to exactly match the Web server that will handle SSL communications. So if the domain name of this server is, use that name and not, for example, Once the CA has completed your request for a server certificate, you will receive it by email or a site download. After you have installed the certificate onto the server, you need to enforce Secure SSL channel communications wherever sensitive or personal data is transmitted across the Internet.

The default port for secure communications, port 443, must be enabled, and your firewall must be configured to allow traffic on this port. Next, if using Microsoft Internet Information Services (IIS), open the Secure Communications section of the Web site's "Directory Security" tab. Select "Require Secure Channel (SSL)" and specify 128-bit encryption, since 40-bit or 56-bit strength is no longer deemed sufficiently secure. Now when your clients try to connect to your Web server by using the standard http:// protocol, they will receive an HTTP 403.4 error message saying that the page must be viewed over a secure channel and requires the use of HTTPS in the address.

Don't make the mistake of displaying a secure page that has non-secured content, such as images pulled from a different location; this will create a warning message on the user's PC. Also if you have a login form, make sure this is secured as well, along with your Web form pages. If you follow the instructions above, any Web form data that your clients send will be encrypted as it travels between their PCs and your server. It is up to you, however, to then ensure that any data is securely handled once it has been received. Passwords and credit card details, for example, should be encrypted before being stored.

Finally, although you may have taken reasonable steps to secure sensitive data in transit and at rest, your clients' PCs may be infected with spyware or keyloggers. Such malware can capture data before it is encrypted and protected by the SSL connection. It is always good practice to have a link on your site where users can find out about protecting their own PCs and data.

More information:

  • Many choose digital certificates based on cost alone, but what about the expiration period?
  • Need to set up endpoint security on an existing SSL VPN architecture? David Strom takes you through the steps.
  • This was last published in March 2007

    Dig Deeper on IPv6 security and network protocols security