[drewprops]

Can you guys spoon feed me the overall concept of HTTPS as compared to HTTP?
Is this a case where certificates are transparently compared between the site you're visiting and some third party group that confirms that the certificate is valild? I can't just go to any page in my website with the prefix https:// and expect it to work so is there some sort of "switch" that has to be flipped with the host to make it work? It certainly isn't any special kind of directory you have to make is it? That doesn't seem right. If this requires certificates then I suppose it requires that you purchase one.... woof.

All this started because I wanted to use a banner image in a PayPal shopping cart thing to sell T-Shirts from one of my websites. If you don't host the banner from a secure server the visitor will receive a message that the connection is not secure (duh).

[Brad]

Here's how it works on the user's end.

1. User's browser sends a request for your website.
2. Server sends back its SSL certificate containing the website's public encryption key.
3. Browser checks the expiration date of the certificate and checks its certificate authority signature against a list of known "trusted" CAs. If either the date or CA identifier is bad, the browser should alert the user to confirm whether or not to continue.
4. Browser creates a random secret phrase that it will use to encrypt the rest of the session. Browser encrypts that secret key using the server's certificate's public key.
5. Both browser and server use that secret phrase to generate another "master" secret phrase that is used to create session keys that are used to encrypt and decrypt all communications.
6. Browser sends a message (now encrypted, of course) saying it wants to start the session.
7. Server responds (again, now encrypted) saying it agrees to use the new session key.

Voila! At that point, a little lock icon will probably appear somewhere in the browser window to indicate that the contents are being encrypted.

All of that is transparent to the user. The only time a user would be notified there is if the certificate is out of date or was signed by a CA that's not on the list of trusted CAs. In Mac OS X, you can see a list of trusted CAs by opening Keychain Access, selecting the X509Anchors keychain, and choosing the Certificates category.

If you want to use one of the trusted CAs, you'll have to purchase a new certificate. The certificate will be bound to your web server's IP address, not the domain name. So, you'll want a dedicated IP for your domain if at all possible because other virtual hosts on the same IP could use it.

As for installing a new certificate, I've never actually done that. The above knowledge just came for a security class I took at university. It's been a while, but I think I remembered it all correctly. Instructions for installing the certificate probably vary based on the type of server software you're using (Apache, IIS, etc).

[drewprops]

Wow!! Thanks Brad!!
Of course I'm not going to go to that trouble just to display a banner in a PayPal shopping cart. The effort and expense involved would be for companies that are planning to do a significant amount of online business.

[Kraetos]

Hold on.

Does that mean if you want to use PayPal at ALL, you need to be coming from a secure page?

[Yonzie]

Quote:

Originally Posted by Kraetos Hold on. Does that mean if you want to use PayPal at ALL, you need to be coming from a secure page?

No, it means that the user is warned by the browser (if not disabled) when going from a non-secure page to a secure page.
In order to avoid this, drewprops has to host his website on a server supporting SSL.

[drewprops]

IF I wanted to display a custom banner image in the header for the FREE PayPal shopping cart that is! It's fine to link to PayPal from buttons on a non-secure website because the user's browser is directed to PayPal's secure servers.