The previous section has shown the details of how SSL works. In this section we present how to configure and use SSL for buying a book using a common WWW browser. The purpose is to show how the elements involved in a secure communication appear in the user interface and the configuration and troubleshooting of the security system. Let us suppose that Alice wants to buy a computer book from a bookstore that has a selling point in the Internet. Let us call the vendor Bob's Online Bookstore (Bob). Alice uses a browser that supports SSL. The following steps are required for a secure transaction:
In this case, after the browser receives the command for downloading the form, it starts the SSL Handshake Protocol with the server and when the negotiation ends, the browser opens the alert window indicating that the secure channel has been opened and the user receives the form.
Alice can check the security features of the document. In a separate window the browser displays information about the form such as the public key certificate of the server. This also contains information about who is the issuer and Alice can check the validity of the certificate using the public key of the issuer. The following excerpt shows the information about a form from www.amazon.com, a bookstore in the Internet:
Amazon.com: Finalizing Your Order has the following structure: https://www.amazon.com/exec/obidos/order2/1560-1716296-170014 Form 1: Action URL: https://www.amazon.com/exec/obidos/ order-form-page1/1560-1716296-170014 Encoding: application/x-www-form-urlencoded (default) Method: Post Netsite: https://www.amazon.com/exec/obidos/order2/ 1560-1716296-170014 File MIME Type: text/html Source: Currently in memory cache Local cache file: none Last Modified: Unknown Last Modified: Unknown Content Length: 2699 Expires: No date given Charset: iso-8859-1 (default) Security: This is a secure document that uses a medium-grade encryption key suited for U.S. export (RC4-Export, 128 bit with 40 secret). Certificate:This Certificate belongs to: www.amazon.com Amazon.com, Inc. Washington, US This Certificate was issued by: Secure Server Certification Authority RSA Data Security, Inc. US Serial Number: 02:78:00:06:72 This Certificate is valid from Sun Jun 02, 1996 to Tue Jun 03, 1997 Certificate Fingerprint: 93:1D:1A:C6:2B:7F:60:2C:77:46:72:EB:1B:B4:4F:65
Further information on how to use SSL in browsers can be found in: Netscape, 1996c and the user manual of the browser.
Copyright © 1996 Calin Groza, All Rights Reserved
Calin Groza <cgroza@cs.vt.edu>
Last modified: Dec. 16 12:00 1996