Application -- Buying a book in the WWW

Amazon is a bookstore on the Internet that supports secure electronic commerce using SSL. This section covers some aspects of security when buying a book from Amazon.Com using Netscape Navigator. Aspects that are of interest:

configuration of the parameters for secure communication;
new protocol in URL:https;
firewalls, errors;
document info, server certificate;

Parameters for a Secure Connection in WWW

A set of parameters have to be configured for a secure transaction (see Netscape Navigator: Main_Menu/Options/Security_Preferences):

General

alert when enter and leave the secure document space/server;
one SSL handshake can be used for one or more HTTPS connections;

Configure the SSL handshake protocol

two versions of the protocol that are more often used: SSL 2.0 and SSL 3.0;
chose the secret-key encryption protocol used in SSL;
RC2 and RC4 are symmetric encryption protocols from RSA Inc.
other possible encryption protocols are: DES, IDEA;
export restrictions apply here;

Personal Certificates

it is possible to obtain Personal Certificates that are used by individuals and are issued by organizations;
a Certificates binds a name (an individual) to a Public Key;

Site Certificates

Certificate Authorities - are organizations that issue certificates;
Certificate Chains - a chain of organization that certifies each other until one of them is trusted.

Dump of the Document Info Message Window

Browsers show the security status of the document that are retrieved from the server. For a significant example go to a secure form and after downloading it look at the security characteristics of the form (in Netscape Navigator: Main_Menu/View/Document_Info).

The following example is the information about a secure form from Amazon.com:

Amazon.com: Finalizing Your Order has the following structure:

       https://www.amazon.com/exec/obidos/order2/1560-1716296-170014
              Form 1:
                    Action URL:
                    https://www.amazon.com/exec/obidos/order-form-page1/1560-1716296-170014
                    Encoding: application/x-www-form-urlencoded (default)
                    Method: Post

Netsite:
                   https://www.amazon.com/exec/obidos/order2/1560-1716296-170014
 File MIME Type:
                   text/html
           Source:
                   Currently in memory cache
  Local cache file:
                   none
   Last Modified:
                   Unknown
   Last Modified:
                   Unknown
 Content Length:
                   2699
          Expires:
                   No date given
         Charset:
                   iso-8859-1 (default)
         Security:
                   This is a secure document that uses a medium-grade encryption key suited for
                   U.S. export (RC4-Export, 128 bit with 40 secret).
       Certificate:
                   This Certificate belongs to:
                     www.amazon.com
                     Amazon.com, Inc.
                     Washington, US

                                           This Certificate was issued by:
                                             Secure Server Certification Authority
                                             RSA Data Security, Inc.
                                             US


                   Serial Number: 02:78:00:06:72
                   This Certificate is valid from Sun Jun 02, 1996 to Tue Jun 03, 1997
                   Certificate Fingerprint:
                     93:1D:1A:C6:2B:7F:60:2C:77:46:72:EB:1B:B4:4F:65

Prev Up Next