P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
WL040C-21 WL040/Bidgolio-Vol I WL040-Sample.cls August 13, 2003 17:16 Char Count= 0
STATUS OFSSL 271Table 2Web Servers that Support the SSL ProtocolPackage Creator Obtain FromOpenSSL OpenSSL Development Team http://www.oepnssl.org
Apache modssl Apache Software Foundation http://www.apache.org
(requires OpenSSL)
Microsoft IIS Microsoft Corporation Bundled with WINNT,
WIN2000 and WINXP
Netscape Enterprise and Suitspot Netscape Communications http://www.netscape.com
Covalent SSL (SSL Acclerator) Covalent Technologies, Inc. http://www.covalent.net
Apache Stronghold C2Net http://www.c2.net
(commercial Apache)The Web browsers Netscape Navigator and Microsoft
Internet Explorer support SSL and TLS. These browsers
allow the user to configure how SSL and /or TLS will be
used. In Netscape Navigator 6.0 the user may consult
the Security Preferences panel and open the SSL option
under the Privacy and Security selection. In Internet
Explorer the user may consult the Security entry in the
Advanced Tab on the Internet Options selection in the
drop down menu item for Tools. An interesting option in
both browsers is the choice of whether or not to save the
downloaded page to the local cache. The downloaded page
is no longer encrypted and if it is saved to local storage it
will be in plain text. If the local machine is compromised
or stolen (e.g., a laptop) that document is now readable
by all.
When a secure channel has been established these
browsers will inform the user by means of a small pad-
lock icon at the bottom of the browser. This indicates
the page was downloaded using SSL or TLS. The URL of
the web page indicates if SSL is required on the part of the
web browser. A URL that begins with HTTPS indicates
that SSL should be used by the browser.
A number of Web servers support SSL and TSL. A sam-
ple of such programs is displayed in Table 2.
The details of what is required to install and set up
an SSL /TLS web server can be found in a number of
places. For a detailed overview the reader is directed
to Garfinkel & Spafford (2002) and Stein (1998). For a
technical discussion of what is required the reader should
consult Rescorla (2001).Advantages and Disadvantages
of and Alternatives to SSL/TLS
SSL and TLS provide server authentication, encryption of
messages, and message integrity. Their design has several
advantages, disadvantages, and alternatives.Advantages
An important advantage of both SSL and TLS is they
provide a generic solution to establishing and using a
secure channel. This solution lies between the Applica-
tion layer and TCP layer of the TCP/IP protocol suit. This
implies that any protocol that can be carried over TCP
(e.g., ftp, nntp) can be guaranteed security using SSL or
TLS.Another advantage is that SSL and TLS’s design is
publicly available. Because of this a large number of
SSL and TLS implementations are available both as
freeware and as commercial products. Further, these
implementations are designed as APIs that are similar
to networking APIs. In a C/C++-based implementation
the SSL APIs emulate Berkeley sockets and in Java they
emulate they Java socket class. As a result it is a simple
matter to convert a nonsecure application into a secure
application using SSL or TLS.Disadvantages
In e-commerce the application of SSL and TLS has sev-
eral disadvantages. Both protocols are able to solve the
problem of transmitting a credit card number securely,
but they are not designed to help with other aspects of
that type of transaction. In particular, they are not de-
signed to verify the credit card number, communicate and
request authorization for the transaction from the con-
sumer’s bank, and ultimately process the transaction. In
addition, they are not designed to carry out additional
credit card services (e.g., refunds, back order processing,
debit card transactions).
An additional disadvantage of SSL/TLS is security of
a credit card information on the server. In particular, if
the credit card number is cached on the server it will be
stored in plaintext. If the server was compromised then
that number would become available in plaintext.
Finally, SSL/TLS is not a global solution. In the U.S.,
systems that use strong encryption cannot be exported.Alternatives to SSL/TLS
In the area of e-commerce an alternative to SSL which
does not have the disadvantages cited above is SET
(secure electronic transaction). SET is a cryptographic
protocol developed by Visa, Mastercard, Netscape, and
Microsoft. It is used for credit card transactions on the
Web. It providesAuthentication:all parties to a transaction are identified;
Confidentiality:a transaction is encrypted to foil eaves-
droppers;
Message integrity:it is not possible to alter an account
number or transaction amount; and
Linkage:attachments can only be read by a third party if
necessary.