There are many schools of thought on how security on the Web should be handled. A reliable way to exchange sensitive information on the Internet is sorely needed (see "Is the Internet a Safe Place to Live?" on page 29). The most promising initiatives currently are secure-socket layers (SSL) and secure hypertext transport protocol (S-HTTP).
Secure-Socket Layers
SSL is a cryptosystem at the protocol level. When a client requests a secure connection with a secure server, the server sends a signed digital certificate which contains two types of information: the certificate data (server name, public key, validity dates, and the name of the authority) and the actual digital signature.
Certificate authorities (CAs) are trusted third-party companies who grant requests for digital signatures. CAs usually verify your company name and location and your legal right to publish the information on your Web server. A fee is charged for issuing the digital signature ($290 for the first license, $95 for each additional; $75/year). The CA uses its private key to encrypt the digital signature, so it cannot be forged.
Your server should be physically secure; your private key and administrative passwords should also be secure. The Netscape Commerce Server generates public/private key pairs when security is installed.
SSL uses RSA (a public cryptosystem for encryption/authentication, invented by Rivest, Shamir, and Adleman) data-security technology to provide end-to-end secure transactions for existing applications. SSL
works with all network protocols and provides encryption in the form of secure channels that prevent others from tapping into your network. Network authentication is accomplished using digital certificates and signatures from CAs. They identify users in information exchanges and transactions, ensuring message integrity and authenticity.
SSL has been available since October, 1994, and is currently in use by more than 3 million people. Recently, companies such as Microsoft, IBM, Apple, DEC, and Bank of America have supported it. It's free for non-commercial use and has a flat-fee license for commercial use.
Secure Hypertext Transfer Protocol
S-HTTP provides secure communications between an HTTP client and server. It's a flexible protocol that supports many modes of security such as multiple orthogonal modes, key management, trust models, cryptographic algorithms, and encapsulation. The client and server determine the modes for each transaction. This approach provides security options appropriate to the Web's wide range of uses.
S-HTTP doesn't require client-side public-key certificates (or public keys). Instead, it uses symmetric session key operation modes. This capability means that spontaneous, private, secure transactions can occur. While S-HTTP can take advantage of emerging certification systems, it can still operate without them.
Currently S-HTTP is in beta. It is not available on any of the Web servers reviewed.
