SSL (Secure Sockets Layer)

From HE FAQ
Revision as of 13:06, 29 September 2009 by Kcochran (Talk | contribs)

Jump to: navigation, search

Please note: For new "Version 3" hosting servers, see the bottom of this topic page for information regarding obtaining an SSL Cert for your account. If you are unsure about the version of the server that your account resides, please contact support@he.net for further assistance.


What does SSL mean?

SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server. For web traffic to be encrypted means that traffic between the server and your browser is scrambled so that it is unintelligible if intercepted.

Why is that when I try to access a secure web page on your server my browser shows an error message saying something about an "unknown authority", and won't load the page.

We have changed all of the secure certificates on our servers to ones signed by Thawte. At one time the only certifying agency was VeriSign, so older web browsers will only recognize secure certificates from them. To avoid getting error messages in the future you should update your browser.

How do I use SSL?

All accounts include a secure web directory. Your secure web directory is named:

/home/accountname/secure_html

where accountname is your account name. Your secure web URL is:

https://servername/~accountname

where servername is the name of the server your account is on. An example secure web URL might be:

https://thor.he.net/~rflyer

To invoke user CGI scripts using SSL use:

https://servername/cgi-bin/suid/~accountname/scriptname

To invoke system CGI scripts using SSL use:

https://servername/cgi-bin/scriptname


What advantage, if any, is there to a secure page using SSL?

The page and any response using forms on it are encrypted in transit so that eavesdroppers which may observe raw traffic passing through their networks can't read it. This is especially useful in shared environments, such as a college campus or a large office which uses standard 10 base T ethernet hubs or thin ethernet, where all machines can see all traffic.

The use of a secure form increases the willingness of people to submit orders online using their credit card, which means increased sales for you. Why can I use https://servername/~accountname but not https://virtualhostname ? The digital certificates used in SSL are issued by certificate authorities (such as VeriSign and Thawte). A digital certificate will only work for the specific domain name it was issued for.

To obtain a digital certificate you must prove that you have the legal right to use the domain name the certificate is to be issued for, prove that you are who you say you are (for a corporation you may be required to provide its articles of incorporation), and pay the necessary fee ($295 for the first year if you use VeriSign) to the certificate authority.

We have purchased digital certificates for all of our shared web servers to save you the cost, delay, and difficulty of obtaining a certificate. To take advantage of our pre-installed digital certificates you must use the domain name of the server in your https (SSL) URL.


How do I use frames with SSL?

When using frames with ssl, a new window must be created otherwise ssl will not work.


Where do I install and how do I call secure cgi scripts?

The cgi scripts are placed in your cgi-bin and called using the URL:

https://server.he.net/cgi-bin/suid/~accountname/script.cgi


How do I get a secure form to send encrypted email?

You would use PGP (Pretty Good Privacy) for that. Please see:

http://web.mit.edu/network/pgp.html


How do I correctly call a cgi script from within a secure form?

Please use:

https://server/cgi-bin/suid/~accountname/scriptname

Make sure to replace where it says server with your domain name or the domain name on which your account is located. Also replace where it says accountname with the name of your account and scriptname with the name of your script. For example:

https://thor.he.net/cgi-bin/suid/~rflyer/novato.cgi


When I access my secure site, I get a message that says "One of the Certificates Has Expire." How do I fix that?

The Thawte root secure certificates embedded in Netscape Navigator 3.x and Microsoft Internet Explorer 3.x and earlier expired in July 1998. All root certificates will eventually expire and will need to be updated. To keep up with this, certificate issuers give software manufacturers their latest certificates to include in new releases of their browsers.

Users of Netscape Navigator 3.x and Microsoft Internet Explorer 3.x and earlier can upgrade their browsers by following the instructions at:

http://www.thawte.com/certs/server/rollover.html

It takes 2 minutes and means you will no longer experience any problems accessing the millions of web sites with Thawte secure certificates.

Less than 15% of all installed browsers are effected by this.


How do I get an SSL Cert for my account on a new "Version 3" server?

On new servers, Hurricane Electric no longer provides a shared server SSL Certificate. If you wish to use SSL with your account, you can either purchase a cert from your registrar or install a "sell-signed" cert.

To install a certificate sourced at either option, simply log in to your account at https://admin.he.net and select "Manage Secure Certificates". There, it will list step-by-step instructions on generating a CSR and installing your certificate.