Search:
University Web Sites
Computing
Services:
Home
About Us
FAQs
Office of Information
Technology (OIT)
Jump to:
Camden Campus
Camden Web Mail
myRutgers Portal
RU Libraries
RU Main
 |
|
Using SSL on Camden Campus Web ServersWhat is SSL?SSL stands for Secure Sockets Layer. It allows a web server and a web browser to establish an encrypted connection to exchange information. A typical exchange of information between a web server and a web browser is not encrypted. When you see http:// in a page's web address, that means your browser and the web server are passing information back and forth in cleartext. That means that the information could be intercepted by a person and read on their computer with very little effort. When you see https:// in a page's web address, and the tiny "padlock" icon in the lower left (or lower right) corner of your browser window appears "locked", that means that information sent between your browser and the web server is encrypted. Encryption is the process of rendering information unreadable by applying a complex formula (sometimes multiple formulas) to the data. SSL encryption uses a key during the calculations to render the data unreadable. When your browser uses SSL to communicate with an SSL-enabled web server, the server sends a certificate that has been created using its key. Your browser will automatically contact a certificate authority to verify the identity of the web server. All SSL-capable browsers (which includes Netscape 4.76 and above, and IE 5.x and above) have a pre-programmed list of certificate authorities that can be contacted to verify an SSL server certificate. If the certificate is verified, your browser will then begin exchanging information with the SSL-enabled web server using SSL encryption. Normally, this entire process of certificate exchange and verification happens very quickly (in less than a second).
Why should I use SSL?Let's first make it clear that you shouldn't always use SSL. SSL is not necessary for web pages that contain information that is accessible to the general public. Information such as course catalogs, academic calendars, campus events, and other similar types of information do not need to be on SSL-protected web pages. To carry on an encrypted conversation, your computer and the web server must scramble every single piece of information that passes between them. That means that every word, every image, every last bit of a web page that is being encrypted must be altered using complex mathematical operations that render it unreadable. It is a process that requires additional computing power from both the web server and the browser visiting your site. It is important to consider the nature of the information contained on your web pages when deciding whether or not to use SSL.With that said, it is extremely important that you do use SSL to protect web pages where sensitive or personal information is either displayed or gathered (using web-based forms). If you are using a web form to register people for a course that requires them to enter their Social Security or credit card numbers, you absolutely want to use SSL for those pages. If you are displaying a class roster, an employee or student record, confidential financial or research information, or other similar kinds of information on your web pages, particularly on pages that require a person to login in order to view them - you should be using SSL for those pages. Also be aware that SSL does not guarantee that the information you are sending to or gathering from the web will not be stolen or intercepted. Our servers are using 128-bit encryption when communicating via SSL, which is currently the maximum level of encryption supported by standard web browsers such as Netscape or Internet Explorer. It is considered very secure but by no means is it impossible to "crack" SSL encryption. Like any lock, SSL can be cracked with a large enough drill (immense computing power) or a skilled enough lockpick (a mathematical genius). 128-bit encryption is a strong lock, though, and a strong lock is better than no lock at all.
How do I use SSL?Server Names
As you read this section, there will be terms such as relative URL, absolute URL, frame, IMG element, and link (and others), that you should be familiar with. If you are not, then please email help@camden.rutgers.edu with your questions...especially if you are unsure as to whether you are using SSL properly for your document(s). All three of the web servers listed above now support SSL encryption. The important things to remember when using SSL on our servers is that you use https when constructing URLs for your documents and that you use the proper server name. If you have a virtual host name, you can not use it when constructing an URL with https. The general format of an SSL URL is: By using https instead of http, you are notifying the server and the web browser that you wish to use SSL encryption. The servername must be one of the three proper server names listed above (clam, crab, www.camden). Each server's SSL certificate is locked and signed using its proper name. This means that if you have a virtual host name for your web site, like rucs.camden.rutgers.edu, that you normally use in place of a long URL that uses the proper server name (which in this case would be www.camden.rutgers.edu/RUCS-Camden) you can NOT use the virtual host name with our SSL certificates. If you attempt to combine https with a virtual host name, the person visiting your site will receive a warning that the computer name contained in the SSL certificate does not match the computer name of the web address they are visiting. Depending on the security settings in their browser, this may automatically disable SSL communication between the web server and the person's browser while they are accessing your documents. If you have a virtual host name, and you want to use SSL to protect all or part of your web site, please contact help@camden.rutgers.edu and someone from the Camden Computing Services staff can explain how this applies to your site.https://<servername>.rutgers.edu/<path>/<to>/<web>/<site> Simple Documents
For example, if you have a link to a seminar registration page that is currently not encrypted, it might look like this:https://<servername>.rutgers.edu/<path>/<to>/<web>/<site> If you wish to encrypt that seminar registration page, then you need to change the links leading to it so that they look like this:<A HREF="education/forms/seminarform.html"> Notice that you can not use relative URLs when going from non-SSL pages to SSL pages. When you are creating a link from one SSL document on the same server to another SSL document, you can use relative URLs. However, it is best to always use absolute URLs to ensure that the people accessing your protected document do so using SSL.<A HREF="https://www.camden.rutgers.edu/education/forms/seminarform.html"> Complex Documents
Since frames divide a web page into panes which each display their own HTML document, you need to make sure that each part of the frame is referenced using absolute URLs of the https form. The simplest frame document is divided into two panes, or frames. One is a menu or navigation frame that contains links to other documents or sections in a document, while the other is a content frame containing text, images, sounds, etc. To ensure that all the frames of your document are being handled with SSL, construct the URLs for each frame in a manner similar to this: <frameset cols="190,*">Notice the highlighted parts of the frameset definition. We used https to indicate that we want the server and the browser to use SSL, and we used the proper name of the server, to make sure that the certificate is properly identified. Another type of complex document that is often created is one with the document stored on one server and certain elements (images, sounds, video) of the document stored on another server. These elements stored on a different server are referred to as external page elements. External page elements are not the same thing as links to pictures, sounds, or video. A link is something that must be clicked on (or somehow selected by the person viewing the page) in order to be sent from the server to the browser. A page element is something that is displayed or played back as part of the document itself. The most common page element is the image. When an image is stored on the same server as the document, you place it on the document like this: <IMG SRC="<path>/<to>/<img>/imagename.gif">You can use the above type of IMG SRC tag when placing images on your SSL-protected document, and when your document is loaded by the server, it will automatically assume that you want to transmit the image using SSL. If the image is being stored on a different server, you typically place it on the document like this: <IMG SRC="http://other.server.name/<path>/<to>/<img>/imagename.gif">If you are using this type of externally loaded image on an SSL-protected document, you should change the IMG SRC tag to look like this: <IMG SRC="https://other.server.name/<path>/<to>/<img>/imagename.gif">If the other server does not support SSL, this will not be possible. In that case, you can still try to use the non-SSL http form of the IMG SRC tag, but be aware that the image will not be encrypted during transmission. This may cause some web browsers to complain to the person viewing your document that some elements of the page are not secure, or worse, the browser may simply refuse to display those unsecure elements. Forms and CGIs
Normally when you access a CGI from your document, you place something like this in the HTML code: ACTION="/cgi-bin/<cgi name>"Although this may still work if your document is using SSL, it is best to play it safe and explicitly use SSL in the reference to the CGI if there is some sort of sensitive information being sent or received via the CGI (this includes things like the FormMail CGI). Here's an example of an SSL reference to the FormMail CGI: ACTION="https://www.camden.rutgers.edu/cgi-bin/FormMail">IMPORTANT NOTE: Currently, our page hit counter CGI does not work properly with SSL. If you are using a page hit counter, instead of explicitly using an SSL reference, you should explicitly use a non-SSL reference, like this: <IMG SRC="http://www.camden.rutgers.edu/cgi-bin/Count.cgi?df=datafile.dat"> |
|
Questions/comments regarding Camden Computing Services or this web site can be directed to: help@camden.rutgers.edu. Last updated: October 10, 2005, 14:34 EDT. © 2005-2010 Rutgers, The State University of New Jersey. All rights reserved. |