Support us .Net Basics C# SQL ASP.NET ADO.NET MVC Slides C# Programs Subscribe Buy DVD

Secure Socket Layer in asp.net - Part 100

Suggested Videos
Part 97 - Changing password by providing current password
Part 98 - Unlocking the locked user accounts using a web page
Part 99 - Implementing Enable button to unlock user accounts

In this video we will discuss about 
1. The advantage of using HTTPS over HTTP protocol
2. How to identify, if the web application i am accessing, use HTTPS protocol
3. How to configure HTTPS instead of HTTP for asp.net web applications
4. What is SSL or Secure Socket Layer and how is it different from HTTPS
5. Who issues server certificates and can't I generate test certificates
6. What about performance when using HTTPS over HTTP



Advantages of using HTTPS
HTTP stands for Hyper Text Transfer Protocol. HTTPS, stands for Hyper Text Transfer Protocol Secure. As the name suggests, HTTPS is more secure than HTTP. When the web server and the client communicate, using HTTP, protocol, the messages that are exchanged over the internet are not encrypted. Any one can secretly listen and see the messages that are exchanged between the client and the web server. That's why, any sensitive information like passwords, financial transactions should never be done over HTTP protocol. Most of the banking applications use HTTPS protocol. Messages exchanged between the client and web server, using the HTTPS protocol are encrypted and are very secure. HTTP use port 80 and HTTPS use port 443.



How to identify, if the web application i am accessing, use HTTPS protocol
There are 2 ways
1. Browser displays a LOCK symbol either in the address or status bar. Click on the lock icon, for more information like, the certificate issuing authority, encryption key length etc.
2. In the address bar look for HTTPS instead of HTTP

How to configure HTTPS instead of HTTP for asp.net web applications
IIS is the web server for asp.net web applications. so the configuration to use HTTPS, is usually done in IIS. The encryption and decryption of  messages exchanged between the client and the server is done by server certificates. These server certificates needs to be installed on the IIS server. We will discuss about IIS configuration in a later video session. 

What is Secure Socket Layer and how is it different from HTTPS
HTTPS is HTTP (HyperText Transfer Protocol) plus SSL (Secure Socket Layer). SSL standing for Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a web server and a browser, so that the data sent over the Internet can’t be read by others. When a user requests a secure Web page, the server generates an encryption key for the user’s session and then encrypts the page’s data before sending a response. On the client side, the browser uses that same encryption key to decrypt the requested Web page and to encrypt new requests sent from that page. SSL uses server certificates for encryption and decryption. An SSL certificate contains a public key and certificate issuer. Not only can clients use the certificate to communicate with a server, clients can verify that the certificate was cryptographically signed by an official Certificate Authority. For example, if your browser trusts the VeriSign Certificate Authority, and VeriSign signs my SSL certificate, your browser will inherently trust my SSL certificate.

Who issues server certificates and can't I generate test certificates
Server certificates are issued by an entity called certificate authority. There are several trusted certificate authorities like
1. verisign
2. Thawte 
3. Geotrust
4. Comodo 
5. GoDaddy 

The certificate authority acts as a clearing house to verify the server’s identity over the Internet. When a browser requests a page over https, the browser also, requests the server certificate and checks it against a list of trusted sites provided by the certificate authority. If the server certificate does not match one of the sites already authorized by the user, or if the server certificate does not match the Web address for which it was registered, or if there are any other problems with the server certificate, a warning message is displayed. The warning message from internet explorer is shown below.


Besides providing encryption and decryption for secure data transmission, certificate authority also provides assurance to users that a website is authentic.

It is also possible to generate our own server certificates, using a tool called makecert.exe. This tool comes with visual studio and can be used from visual studio command prompt. The certificates that are generated using this tool, can only be used for testing purposes and not for production use. We will discuss about generating and installing server certificates in our next video session.

What about performance when using HTTPS over HTTP
Extra processing time is required for HTTPS, for key negotiation. Key negotiation is also termed as SSL handshake.  The handshake allows the server to authenticate itself to the client.

4 comments:

  1. Very easy to understand using from your explanation. Keep posting more topics

    ReplyDelete
  2. Very good work. Thank you for the post.

    ReplyDelete
  3. Thank you Venkat Sir... you are doing an amazing service to the IT community over the Globe... I always refer your video series to my friends here in USA... and we all benefited so much from the hard work that you put in... Thanks for making our life easy... You are the best !!!

    ReplyDelete
  4. Thank you somuch sir, I always prefer your blog only..

    ReplyDelete

If you like this website, please share with your friends on facebook and Google+ and recommend us on google using the g+1 button on the top right hand corner.