Using SSL in WebSTAR

When you have installed the certificate, you should test your server to make sure it is encrypting communications properly. then you can start serving and accepting information with assurance that it is secure.

Testing Your Secure Server

To connect to WebSTAR SSL, follow these steps:

1 Launch your SSL-compatible browser (such as Netscape Navigator or Internet Explorer).
2 Create a test file named secure.html in a folder named secure .
3 Use HTTPS to open the page (using your host name):

 
https
://www.domain.com/secure/secure.html

If you have trouble, see SSL (Secure Socket Layer) Troubleshooting .

The browser connects to the server and opens in secure mode. You can verify the security of a document by examining the security icon in the lower-left corner of the browser window.

In early versions of Netscape's browsers, the icon consists of a gold key on a blue background to show secure documents and a broken key on a gray background to show unsecure documents. In version 4 of Navigator and Communicator, it's a small padlock icon, open except for secure documents. Other browsers have similar icons to indicate security status.

To check security, you can use the Page Info command on the View menu. A window opens that includes this security information:

It shows the type of encryption protecting the document (see Encryption Ciphers ) as well as Certificate information and the pubic part of the authentication key.

Access Control

To preserve privacy, you should know who is accessing the information. Using WebSTAR's Realm-based access control with user names and passwords (see Security Realms ), which will provide some of this accountability. Be sure that you use safe passwords and change them regularly, as well as using a log file analysis program to track all transactions.

You should also take extra security precautions with the machine serving private data.

Limit or remove FTP access

You should never allow FTP access to the folders with the private data, or their parent folders. FTP passwords are sent in the clear, so anyone monitoring your data stream can see them.

Install a server monitor application

A monitor, such as LogDoor from Open Door Networks , lets you track whether outsiders are attempting to crack the security on your server, and can monitor more carefully if you are under attack.

Consider a firewall

Macintosh servers are among the most secure, because they do not respond to remote commands or provide easy access to the data. However, if you store private data on your server, including credit card numbers, a firewall application or hardware will improve security. The firewall will allow only certain IP numbers to use specified protocols, which limits your vulnerability.

Additional Privacy Considerations

Serving private pages, such as medical records, personnel information, or financial data, is different from accepting credit cards. When you use SSL to accept a credit card, the browser encrypts the information before sending it to you. When you use SSL to display private information, the server encrypts it before sending it to the browser.

To set the server to respond to HTTPS only, set the Web HTTP connections to 0: see Max Connections .

There are a number of ways to make sure you serve private pages via the secure HTTPS protocol:

Run a second copy of WebSTAR Server Suite in a different folder on the same machine (using the same serial number).
Run another copy of WebSTAR Server Suite on a secure machine (which requires a different serial number: contact StarNine Sales for a special pricing for this purpose).
Use a third-party program, such as Welcome, to force certain URLs to be served by HTTPS.

SSL Server Performance Issues

Serving and accepting encrypted data via HTTPS takes more time than serving plain text pages and even graphics.

The most processor-intensive portion of the SSL protocol is the key exchange, when the browser first connects to your server using the HTTPS protocol. WebSTAR Server Suite 4 implements the resumable sessions , which allow browsers to re-use previous key exchange information. The second and subsequent connections by a browser doesn't need the same expensive session setup as the first connection, so they are much faster. In addition, the persistent connections feature allows the server to keep the connection to the browser open until all elements of the page are sent, which is much faster than opening a new connection.

Most browsers released since 1997 support persistent connections and resumable sessions.

If you are concerned about speed, the RC4 cipher is twice as fast as DES, and 6 times faster than 3DES, while providing the same amount of encryption.