Text version of the video
Slides
All ASP .NET Text Articles
All ASP .NET Slides
In this video we will discuss
1. The advantage of using HTTPS over HTTP protocol
2. How to identify, if the web application i am accessing, use HTTPS protocol
3. How to configure HTTPS instead of HTTP for asp.net web applications
4. What is SSL or Secure Socket Layer and how is it different from HTTPS
5. Who issues server certificates and can’t I generate test certificates
6. What about performance when using HTTPS over HTTP
Advantages of using HTTPS
HTTP stands for Hyper Text Transfer Protocol. HTTPS, stands for Hyper Text Transfer Protocol Secure. As the name suggests, HTTPS is more secure than HTTP. When the web server and the client communicate, using HTTP, protocol, the messages that are exchanged over the internet are not encrypted. Any one can secretly listen and see the messages that are exchanged between the client and the web server. That’s why, any sensitive information like passwords, financial transactions should never be done over HTTP protocol. Most of the banking applications use HTTPS protocol. Messages exchanged between the client and web server, using the HTTPS protocol are encrypted and are very secure. HTTP use port 80 and HTTPS use port 443.
How to identify, if the web application i am accessing, use HTTPS protocol
1. Browser displays a LOCK symbol either in the address or status bar. Click on the lock icon, for more information like, the certificate issuing authority, encryption key length etc.
2. In the address bar look for HTTPS instead of HTTP
How to configure HTTPS instead of HTTP for asp.net web applications
IIS is the web server for asp.net web applications. so the configuration to use HTTPS, is usually done in IIS. The encryption and decryption of messages exchanged between the client and the server is done by server certificates. These server certificates needs to be installed on the IIS server. We will discuss about IIS configuration in a later video session.
What is Secure Socket Layer and how is it different from HTTPS
HTTPS is HTTP (HyperText Transfer Protocol) plus SSL (Secure Socket Layer). SSL standing for Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a web server and a browser, so that the data sent over the Internet can’t be read by others. When a user requests a secure Web page, the server generates an encryption key for the user’s session and then encrypts the page’s data before sending a response. On the client side, the browser uses that same encryption key to decrypt the requested Web page and to encrypt new requests sent from that page. SSL uses server certificates for encryption and decryption. An SSL certificate contains a public key and certificate issuer. Not only can clients use the certificate to communicate with a server, clients can verify that the certificate was cryptographically signed by an official Certificate Authority. For example, if your browser trusts the VeriSign Certificate Authority, and VeriSign signs my SSL certificate, your browser will inherently trust my SSL certificate.
Who issues server certificates and can’t I generate test certificates
Server certificates are issued by an entity called certificate authority. There are several trusted certificate authorities like verisign etc
The certificate authority acts as a clearinghouse to verify the server’s identity over the Internet. When a browser requests a page over https, the browser also, requests the server certificate and checks it against a list of trusted sites provided by the certificate authority. If the server certificate does not match one of the sites already authorized by the user, or if the server certificate does not match the Web address for which it was registered, or if there are any other problems with the server certificate, a warning message is displayed. The warning message from internet explorer is shown below.
Besides providing encryption and decryption for secure data transmission, certificate authority also provides assurance to users that a website is authentic.
It is also possible to generate our own server certificates, using a tool called makecert.exe. This tool comes with visual studio and can be used from visual studio command prompt. The certificates that are generated using this tool, can only be used for testing purposes and not for production use. We will discuss about generating and installing server certificates in our next video session.
