Web Security, Privacy and Commerce, 2nd Edition

2017-07-07 02:10:07

only for RuBoard - do not distribute or recompile

5.2 SSL: The User's Point of View

Both Netscape Navigator and Microsoft's Internet Explorer contain extensive support for SSL and TLS. This section describes the support for transferring documents using encryption. SSL/TLS support for digital certificates is described in Chapter 17.

Netscape Navigator uses the term "secure document" as shorthand for the phrase "documents that are transmitted using SSL."

Of course, documents transmitted using SSL aren't any more secure or unsecure than documents that are sent in the clear. They are simply cryptographically protected against eavesdropping and modification while in transit. The SSL Protocol makes no assurance that the document itself was not modified on the web server a far easier attack than intercepting and modifying the contents of a TCP/IP stream.

5.2.1 Browser Preferences

Netscape Navigator and Internet Explorer control their SSL behavior through the use of special control panels. Navigator calls this panel Security Preferences and it is accessed from Navigator's Preferences menu. Explorer calls this panel the Advanced Options panel and it is accessed from Explorer's Internet Options menu.

5.2.1.1 Navigator preferences

The Netscape Navigator 6.0 Security Preferences panel is shown in Figure 5-4.

Figure 5-4. Netscape Navigator's Security Preferences panel

The controls listed under Navigator's General tab allow the user to choose when various alerts are displayed. Netscape Navigator can be configured to alert the user:

When entering a site that uses SSL.

When entering a site that uses "low-grade" encryption (that is, 40-bit symmetric ciphers or 512-bit RSA).

When an HTML form is submitted (using GET or POST) without encryption.

When a document that has a combination of encrypted and unencrypted elements is displayed.

Pressing the "Edit Ciphers . . . " button displays a panel (shown in Figure 5-5) allowing you to control which ciphers Netscape will offer to the remote SSL/TLS server.

Figure 5-5. The Edit Ciphers panel allows you to control which encryption ciphers Netscape Navigator will offer to the remote system.

Netscape Navigator further allows you to prevent pages that are downloaded with SSL from being stored in the client's disk cache. Storing pages in the cache speeds performance, particularly over slow network connections. However, pages are stored without encryption on the user's computer. If the computer is likely to be stolen or accessed by an unauthorized individual, and the information on the encrypted pages is highly sensitive, you may wish to disable this option.

5.2.1.2 Internet Explorer preferences

The Internet Explorer 6.0 Options panel is shown in Figure 5-6. Explorer has many more options than Navigator. Specific options that are of interest include:

Check for publisher's certificate revocation: Activates the software inside the Windows SSL implementation that checks for revoked certificates on Authenticode-signed controls.
Do not save encrypted pages to disk: Prevents pages downloaded using SSL from being saved on your local hard disk.

Figure 5-6. Internet Explorer's security preferences can be controlled from the Advanced tab of the Internet Options panel.

5.2.2 Browser Alerts

Both Netscape Navigator and Internet Explorer display a small padlock at the bottom of the browser to indicate the page currently viewed was downloaded using SSL.