WWW: Beyond the Basics

18. WWW Security

18.4. Application - Buying a Book in the WWW

The previous section has shown the details of how SSL works. In this section we present how to configure and use SSL for buying a book using a common WWW browser. The purpose is to show how the elements involved in a secure communication appear in the user interface and the configuration and troubleshooting of the security system. Let us suppose that Alice wants to buy a computer book from a bookstore that has a selling point in the Internet. Let us call the vendor Bob's Online Bookstore (Bob). Alice uses a browser that supports SSL. The following steps are required for a secure transaction:

  1. Alice sets up the security preferences of the browser. Generally this involves configuring:
  2. After searching for the book, Alice gets to the point where she has to fill in the form that contains the credit card number with which she pays for the book. At this point there are two alternatives.
    1. If she has a browser that supports SSL and the vendor has a server that supports SSL for buying books she requests to download the form from an address whose URL starts with https instead of http.

      In this case, after the browser receives the command for downloading the form, it starts the SSL Handshake Protocol with the server and when the negotiation ends, the browser opens the alert window indicating that the secure channel has been opened and the user receives the form.

      Alice can check the security features of the document. In a separate window the browser displays information about the form such as the public key certificate of the server. This also contains information about who is the issuer and Alice can check the validity of the certificate using the public key of the issuer. The following excerpt shows the information about a form from www.amazon.com, a bookstore in the Internet:

    Amazon.com: Finalizing Your Order has the following structure:
         https://www.amazon.com/exec/obidos/order2/1560-1716296-170014
        Form 1:         Action URL:
                        https://www.amazon.com/exec/obidos/
                          order-form-page1/1560-1716296-170014
                        Encoding: application/x-www-form-urlencoded 
                          (default)
                        Method: Post
       Netsite: https://www.amazon.com/exec/obidos/order2/
                        1560-1716296-170014
    File MIME Type: text/html
       Source: Currently in memory cache
      Local cache file: none
       Last Modified: Unknown
       Last Modified: Unknown
      Content Length: 2699
             Expires: No date given
             Charset: iso-8859-1 (default)
            Security: This is a secure document that uses a medium-grade 
                       encryption key suited for
                       U.S. export (RC4-Export, 128 bit with 40 secret).
         Certificate:This Certificate belongs to:
                         www.amazon.com
                         Amazon.com, Inc.
                         Washington, US
                             This Certificate was issued by:
                             Secure Server Certification Authority
                             RSA Data Security, Inc.   US
                       Serial Number: 02:78:00:06:72
                       This Certificate is valid from Sun Jun 02, 
                             1996 to Tue Jun 03, 1997
                       Certificate Fingerprint:
                         93:1D:1A:C6:2B:7F:60:2C:77:46:72:EB:1B:B4:4F:65
    
  3. If Alice does not have SSL support she cannot connect to the SSL port on the server. If she fills in a form and wants to send it on an insecure channel the browser alerts her.

Further information on how to use SSL in browsers can be found in: Netscape, 1996c and the user manual of the browser.

[PREV][NEXT][UP][HOME][VT CS]

Copyright © 1996 Calin Groza, All Rights Reserved

Calin Groza <cgroza@cs.vt.edu>
Last modified: Dec. 16 12:00 1996