Application
Home Up

 

Application - Buying a Book from Amazon.com

The previous section has shown the details of how SSL works. In this section we present how to configure and use SSL for buying a book using a common Web browser. The purpose is to show how the elements involved in a secure communication appear in the user interface and the configuration and troubleshooting of the security system. Suppose that Kathy wants to buy a computer book from a bookstore that sells books through a Web site. Let us call the vendor Paul's Online Bookstore (POB). Kathy uses a browser that supports SSL. The following steps are required for a secure transaction:

  1. Kathy sets up the security preferences of her Web browser. Generally this involves configuring the following:
    The cipher suite on the client: The browsers allow the user to choose from a set of possible cryptographic algorithms. A minimum for an economic transaction would be RC2, RC4 or DES with a key of at least 40 bits.
    The list of public keys trusted by Kathy: This is a bit confusing because Web browsers do not actually store the public keys, but rather the public-key certificates of trusted parties contains the public key. For example, Netscape Navigator comes preloaded with a list of public key certificates for important Certificate Authorities in the U.S. and Canada.
    Personal public key certificate: Although rare today, it is possible for individuals to have their own certificates that can be used in transactions. These certificates are useful for the situation when the client has to be authenticated before accessing a server.
    General preferences: Kathy can set the alert conditions such as whether to get a warning when she communicates through an insecure connection, when the session starts to be secure and when the secure session is closed.
  2. After browsing through Web pages to select a book to purchase, Kathy must fill in a Web form on the bookstore's site and provide her credit card number to pay for the book. There are now two alternatives.
    1. If Kathy's browser and the vendor's server both support SSL, Kathy views the form by visiting an address whose URL starts with https instead of http.

      In this case, when the browser downloads the form, it first starts the SSL Handshake Protocol with the server. When the negotiation ends, the browser displays on Kathy's computer screen an alert window indicating that the secure channel has been opened. Kathy's browser then receives and displays the form.

      Kathy can check optionally the security features of the document. In a separate window Kathy's browser will display information about the form, such as the public key certificate of the server. This also contains information about who is the issuer, and Kathy can check the validity of the certificate using the public key of the issuer. The following excerpt continues our example and shows the information from a form from www.amazon.com:

      Amazon.com: Finalizing Your Order has the following structure:
     https://www.amazon.com/exec/obidos/order2/1560-1716296-170014
    Form 1:         Action URL:
                    https://www.amazon.com/exec/obidos/
                      order-form-page1/1560-1716296-170014
                    Encoding: application/x-www-form-urlencoded 
                      (default)
                    Method: Post
   Netsite: https://www.amazon.com/exec/obidos/order2/
                    1560-1716296-170014
File MIME Type: text/html
   Source: Currently in memory cache
  Local cache file: none
   Last Modified: Unknown
   Last Modified: Unknown
  Content Length: 2699
         Expires: No date given
         Charset: iso-8859-1 (default)
        Security: This is a secure document that uses a medium-grade 
                   encryption key suited for
                   U.S. export (RC4-Export, 128 bit with 40 secret).
     Certificate:This Certificate belongs to:
                     www.amazon.com
                     Amazon.com, Inc.
                     Washington, US
                         This Certificate was issued by:
                         Secure Server Certification Authority
                         RSA Data Security, Inc.   US
                   Serial Number: 02:78:00:06:72
                   This Certificate is valid from Sun Jun 02, 
                         1996 to Tue Jun 03, 1997
                   Certificate Fingerprint:
                     93:1D:1A:C6:2B:7F:60:2C:77:46:72:EB:1B:B4:4F:65
    2. If Kathy does not have SSL support she cannot connect to the SSL port on the server. If she fills in a form and tries to send it, her Web browser should alert her to the fact that the credit card number will be send over an insecure channel, and may be compromised.

Further information on how to use SSL in browsers can be found in [NETS96c] and the user manual of browsers supporting SSL.

Rich Aliano <raliano@shrike.depaul.edu>

Home    Digital Certificates    Firewalls    Cryptography    SSL    JAVA