Secure Server Certificates

by .

by: AY Software Corporation

A Secure Server is a must for anyone who has an online business. Why do you need a Secure Server? What is a Secure Server and how does it work? How do you get a Secure Server working? Do you need special technical knowledge to operate a Secure Server? How much does a Secure Server cost? Hopefully, this article will answer all of these questions.

How Does a Secure Server Work?

All information on the Internet is transferred through open channels. For example, if you are in US and browse a site in Australia, the information goes through many servers located all over the world. Anyone who has access to any of these servers can steal the information. But what if you want to transfer information that must not be observed by other parties. Your only solution is to encrypt(scramble) the information in such away that no one else can understand what is there. Secure Servers encrypt the information you transmit through the Internet.

A Secure Server is a Web Server application that ensures secure information transfer between a Web Server and a Web Browser. The encryption is done with a protocol called SSL (Secure Socked Layer). When you connect to a Secure Server with your Browser, the Server and the Browser use Secure Socked Layer to tell each other how to encrypt the information. Then they can securely exchange the information. For example, you can send credit card information to a Secure Server, and no one will know what kind of information you sent.

So, the first task that a Secure Server does for you is encrypt your information. However, a Secure Server does much more. The most important task a Secure Server performs is to identify itself to the browser. It identifies itself by presenting a digital certificate to browsers who request a secure connection. The certificate works for a secure server the same way as a driver license works for you, except that it is much more difficult to fake.

Certificates are issued by Certification Authorities. Very few companies in the world can issue certificates. Actually, certificates are generated by the Web server software, but they will not work until a certification authority signs the certificate. They do so with a digital signature, which work the same as hand signature. Before signing the certificate, the certification authority makes sure that the organization that submitted the signing request is the Secure Server’s owner. The certification authority receives a fee for this job.

Any security-enabled web browser has samples signatures by all of the Certification Authorities. When a browser connects to a Secure Server, it verifies that the signature on the Secure Server Certificate belongs to one of the Certification Authorities. If this fails, then a secure connection cannot be established.

All of the above happens absolutely transparently for the person browsing the site. Their browser just tells them that the secure connection was established and then shows the page. The most important thing from an Internet merchant’s perspective, is that this gives your customer more confidence, and convinces them that their order information will be transferred to you safely and securely.

What Do You Need?

To run your own secure server you need two things – Secure Server software and a Secure Server certificate.

You do not need the Secure Server software unless you have your own Internet server. Most Internet Service Providers (ISP) have all the necessary software that you need, and since it costs them nothing, they will usually provide it to you.

You may also need your own Secure Server certificate; however, before you request an expensive certificate from Certification Authority, first see if you can reuse somebody else’s certificate. Chances are your ISP already has a Secure Server certificate. If so, you can use their certificate. If your ISP does not have a certificate, you can find other ISPs that will handle your secure pages. Your secure pages do not have to be hosted with the same ISP as your main site.

If you use your own domain, then your ISP’s certificate will not work for you. But, if you have a domain of www.your-company.com and host it with ISP whose domain is www.your-isp.com, then you can host your order form as https://www.your-company.com/order.html. However, since the certificate was issued for www.your-isp.com, your customers will get a warning message every time they access the page. For example, in Netscape Navigator the message will look like:

The certificate that site ‘www.your-company.com’ has presented does not contain the correct site name. It is possible, though unlikely, that someone may be trying intercept your communication with this site. If you suspect the certificate shown below does not belong to the site you are connecting with, please cancel the connection and notify the site administrator.

This can easily turn away potential customers. You can use your ISP’s domain and have the order page as http://www.your-isp.com/~your-company/order.html.

If you think that your own domain will work better for you (and I believe this is true), you can request your own certificate. There are currently two Certificate Authorities that you can use.

  • EquiFax – Secure certificates for $99 per year
  • VeriSign – Secure Server Certificates for $349 per year
  • Thawte – Secure Server Certificates for $125 per year