How to Secure a Web Site

Security is a very important aspect for any developer of ecommerce web sites. To secure a web site, we must make sure that private data that's sent between the client and server can't be deciphered. To accomplish that, we use an Internet Protocol called SSL (Secure Socket Layer). Its an important protocol that lets you transmit data over the internet using data encryption.

  How Secure Sockets Layer (SSL) connections Work:

• SSL is the protocol used by the world wide web that allows clients and servers to communicate over a secure connection.

• With SSL, the browser encrypts all data that's sent to the server and decrypts all data that's received from the server. Conversely, the server encrypts all data that's sent to the browser  and decrypts all data that's received from the browser.

• SSL is able to determine if data has been tampered with during transmit and verify that a server or a client is who claims to be.

• To to determine if you're transmitting data over a secure connection, you can read the URL in the browser's address bar. If it starts with HTTPS rather than HTTP, then you're transmitting data over a secure connection as shown in the folowing diagram:
  

Note

• To test an application that uses SSL, you must run the application under the control of IIS.

• With some browsers, a lock icon is displayed when a secure connection is being used.

How digital secure certificates work

• To use SSL to transmit data, the client and the server use Digital secure certificates as shown in below diagram.

• Digital secure Certificates are the electronic counterparts to driver licenses, passports and membership cards. You can present a Digital Certificate electronically to prove your identity or your right to access information or services online.

• A Digital Certificate is issued by a Certification Authority (CA) and signed with the CA's private key.

• Digital Secure Certificates serve two purposes. First, they establish the identity of the server or clients. Second,they provide the information needed to encrypt data before it's transmitted. By default, browsers are configured to accept certificates that come from trusted sources. If a browser doesn't recognize a certificate as coming from a trusted source, however, it informs the user and lets the user view the certificate. Then, the user can determine whether the certificate should be considered valid. If the user chooses to accept the certificate, the secure connection is established. The certificate dialog box for a digital secure certificate is as shown in the following figure:

How to determine if a Digital Secure Certificate is installed on your server

If IIS is running on your local machine, chances are that certificate hasn't been installed. But if IIS is running on a server on a network, you can use the procedure as shown in above figure to determine if a certificate has been installed and to view the certificate.

How to get a Digital Secure Connection

If you want to develop an ASP .NET application that uses SSL to secure client connections, you must first obtain a digital secure certificate from a trusted source such as:

http://www.verisign.com/

http://www.geotrust.com/

http://www.entrust.com/

http://www.thawte.com/

These certification authorities, or CAs verify that the person or company requesting the certificate is a valid person or company by checking with a registration authority, or RA. To obtain a digital secure certificate, you'll need to provide a registration authority with information about yourself or your company. Once the registration authority approves the request, the certificate authority can issue the digital secure certificate.

Resource:

Here are some related resources:

• Developing Secure Web Site with ASP.NET and IIS - PartII
• Developing Secure Web Sites with ASP.NET and IIS: Part I
• Set up Secure Sockets Layer (SSL) using Digital Certificates
• How to query across multiple lists in multiple Web sites in in SharePoint