The Web isn’t a secure environment. The open nature of the networking and web protocols—TCP, IP, and HTTP—has allowed the development of many tools that can listen in on data transmitted between browsers and web servers. It is easy to snoop on passing traffic and read the contents of HTTP requests and responses. With a little extra effort, a hacker can manipulate traffic and even masquerade as another user.
If an application transmits sensitive information over the Web, an encrypted connection should be provided between the browser and the web server. The information that would warrant an encrypted connection includes:
Sensitive information held on the server; e.g., commercial-in-confidence documents and bank account balances
User credentials—usernames and passwords—used to gain access to sensitive services such as online banking or the administration of the winestore
Personal details collected from the user, such as credit card numbers
Session IDs—used by the server to link HTTP requests to session variables
In this section we focus on the common method of encrypting data sent over the Web using the Secure Sockets Layer. We discuss the basic mechanics of SSL in this section, and provide an installation and configuration guide for SSL and Apache as part of Appendix A.
This section isn’t designed to cover the enormous topic of encryption. We limit our brief discussion to the features of SSL, and how SSL can protect web traffic. More details about cryptographic ...