18. WWW Security

18.4. Application - Buying a Book in the WWW

The previous section has shown the details of how SSL works. In this section we present how to configure and use SSL for buying a book using a common WWW browser. The purpose is to show how the elements involved in a secure communication appear in the user interface and the configuration and troubleshooting of the security system. Let us suppose that Alice wants to buy a computer book from a bookstore that has a selling point in the Internet. Let us call the vendor Bob's Online Bookstore (Bob). Alice uses a browser that supports SSL. The following steps are required for a secure transaction:

1. Alice sets up the security preferences of the browser. Generally this involves configuring:
   • the cipher suite on the client. The browsers allow the user to chose, from a set of options, the possible cryptographic algorithms. A minimum for an economic transaction would be: RC2, RC4 or DES with a key of at least 40 bits;
   • the list of public keys trusted by Alice. This is a bit confusing because the programs do not actually store the public keys alone but the public-key certificates of the trusted parties which contain the public key. Browsers such as Netscape Navigator have defined at installation a list of public key certificates for the most important Certificates Authorities in the U.S. and Canada;
   • personal public key certificate. Although not very often used today, it is possible for individuals to have their own certificates that can be used in transactions. These certificates are useful for the situation when the client has to be authenticated before having access to the server.
   • general preferences. Alice can set the alert conditions such as whether to get a warning when she communicates through an insecure connection, when the session starts to be secure and when the secure session is closed.
2. After searching for the book, Alice gets to the point where she has to fill in the form that contains the credit card number with which she pays for the book. At this point there are two alternatives.
   1. If she has a browser that supports SSL and the vendor has a server that supports SSL for buying books she requests to download the form from an address whose URL starts with https instead of http.

      In this case, after the browser receives the command for downloading the form, it starts the SSL Handshake Protocol with the server and when the negotiation ends, the browser opens the alert window indicating that the secure channel has been opened and the user receives the form.

      Alice can check the security features of the document. In a separate window the browser displays information about the form such as the public key certificate of the server. This also contains information about who is the issuer and Alice can check the validity of the certificate using the public key of the issuer. The following excerpt shows the information about a form from www.amazon.com, a bookstore in the Internet:

   Amazon.com: Finalizing Your Order has the following structure:
        https://www.amazon.com/exec/obidos/order2/1560-1716296-170014
       Form 1:         Action URL:
                       https://www.amazon.com/exec/obidos/
                         order-form-page1/1560-1716296-170014
                       Encoding: application/x-www-form-urlencoded 
                         (default)
                       Method: Post
      Netsite: https://www.amazon.com/exec/obidos/order2/
                       1560-1716296-170014
   File MIME Type: text/html
      Source: Currently in memory cache
     Local cache file: none
      Last Modified: Unknown
      Last Modified: Unknown
     Content Length: 2699
            Expires: No date given
            Charset: iso-8859-1 (default)
           Security: This is a secure document that uses a medium-grade 
                      encryption key suited for
                      U.S. export (RC4-Export, 128 bit with 40 secret).
        Certificate:This Certificate belongs to:
                        www.amazon.com
                        Amazon.com, Inc.
                        Washington, US
                            This Certificate was issued by:
                            Secure Server Certification Authority
                            RSA Data Security, Inc.   US
                      Serial Number: 02:78:00:06:72
                      This Certificate is valid from Sun Jun 02, 
                            1996 to Tue Jun 03, 1997
                      Certificate Fingerprint:
                        93:1D:1A:C6:2B:7F:60:2C:77:46:72:EB:1B:B4:4F:65
   

3. If Alice does not have SSL support she cannot connect to the SSL port on the server. If she fills in a form and wants to send it on an insecure channel the browser alerts her.

Further information on how to use SSL in browsers can be found in: Netscape, 1996c and the user manual of the browser.

Copyright © 1996 Calin Groza, All Rights Reserved

Calin Groza <cgroza@cs.vt.edu>
Last modified: Dec. 16 12:00 1996