[newbie] regarding SSL.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

[newbie] regarding SSL.

Post by claws »

hi.. guys.

there are many doubts here in this post. i have gave numbers and highligted them. kindly clarify all

I am a newbie. started web developing using php.
now i need to make a website where bidding transactions and online money transfer has to be implemented.

i heard and saw in few websites. about SSL.
but i am very confused with it.

i did a bit of googling and all i know about it is:
1. ssl is a kind of encryption algorithm/standard proposed by some one. the current version of this algoritm is ssl 3.0
2. TLS is also a kind of SSL but newer than it and its version is TLS 1.0
3. these algorithms are browser inbuilt(so that user cant change unlike javascript function) and serverside(we have to setup something) and all the data transactions will be in encrypted form.
Q1: so on server side. should i install a server(like database) or some other software for SSH. or its taken care of by the PHP language (Secure Shell2 Functions -- library from php manual)???
Q2: SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. what does this mean?
Q3: if everything can be done in php. then in my everypage should is use the functions of this Secure Shell2 Functions library? can't i do some thing to my server so that all the traffic through it is encrypted?
Q4: on the client side how to invoke this SSL/TLS??
Q5: what are certificates? i opened my firefox and looked into its security->advanced options. there i found lot of stuff. that i didnt understand.
Q6: say i have a form in a page. will the entire form will undergo this ssl when submitted using GET/POST methods? i mean, i want fields like.. bank acc no,current balance,etc.. to be encrypted and rest non encrypted. how can i do that? is it that what we call partially encrypted page?

please if you find any links that helps me in clearing all my doubts. kindly post it here.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You're mixing up SSH (Secure Shell) and SSL (Secure Socket Layer). Most of your questions are of a very theoretical nature, and probably won't help you set things up if your host doesn't support. Who's hosting the website?
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

oh.. yeah. I didnt even notice that i am mixing up both SSH and SSL.
see.. this shows in what confused state i was in while writing the question.

yeah i know my questions are of theoritical type. i am sorry for troubling you ppl.
but i have no one to guide or help.
pls.. kindly help me.

and regarding host of the website, we are planning to host it at http://www.lunarpages.com

you told that HOST should support that. ok thats not a problem. we'll take appropriate servers that meets our requirements.

but first i should know. what it is? how it works? how to implement it?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You'll need to purchase the unique IP and SSL cert plans from the host. They'll set everything up and then you'll be able to access everything via https:

Although you may want to consider using an external vendor if your business isn't too big.
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

ok thanks.

but please clarify my doubts. atleast 3,4,5,6.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

SSL is an encryption layer that sends HTTP requests and responses over encrypted transmissions. Typically you install an SSL certificate that sets an SSL key on your server on port 443. Your web server then needs to be configured to accept SSL requests on port 443 and it has to be given the location of the SSL cert and key.

Requests that are made to the https protocol of your server are then handled by the part of the server config that is set up to listen on port 443 and then server uses the SSL cert and key to decrypt the encrypted request and serve back the encrypted response in a way that a browser can decrypt the encrypted response.

All in all, it is a seamless integration when done right. It takes a little patience and about 30 minutes to get everything just right. You will need to restart your web server several times and may need to reboot the actual machine once.

But if you are doing anything with money, personal or secure information, the site needs to be SSL encrypted. Period.
Post Reply