Setting Up an SSL Solution






Setting Up an SSL Solution

There are three basic methods of setting up a secure e-commerce Web site using SSL:

  1. You can buy a complete SSL solution, including the SSL certificates, from an established vendor. The vendors deliver fully configured servers and all you have to do is build code into your Web site and put it on the box. Most vendors will also offer Web-building solutions as well.

  2. You can go to a Web hosting service and basically buy “space” on one of their Web servers that are already set up to run SSL transactions. This is referred to as Co-Lo’s (pronounced “KOE-loe”) which means co-location hosting service. These companies usually have an enormous number of servers situated in what is referred to as a “server farm” (a large, air conditioned computer room) and the service has very fast connection to the Internet. Co-Lo’s can also handle your domain name registration and arrange for your SSL Digital Certificates. You usually pay a monthly fee for this type of service.

  3. You can build your own solution. You can go from as simple as you please to large and complex. There are open source Web servers and SSL applications, which means they are free. You still need to get your SSL Digital Certificates and they are a lot more expensive than you would expect. On the other hand, you get what you pay for, too.

What equipment do I need?

You can set up an e-commerce site using SSL for very little investment in equipment. First of all, I’m going to make the foolish assumption that you already have a network that has a fast connection to the Internet. I’m also going to assume that you have a static IP address and registered domain name. If you don’t have a domain name and your own IP address, then you’ll either have to get them, or you’ll have to go with a Co-Lo service. (I address some of the Co-Lo issues in the E-Commerce Managers Checklist.)

Here’s a list of what you’ll need and what you’ll need them for:

  • A server to use as your Web server/e-commerce site. If you don’t expect a lot of traffic, you can even use a desktop machine. On the other hand, it’s best to plan ahead and, if you expect your traffic to grow quickly, you’re better off getting a server that has enough RAM and disk space to handle a heavy load. (Many SSL applications are open source freeware. Don’t pay if the free goods will work for you.)

  • A redundant server to mirror your Web site. This is to be used in emergencies. If your Web site is hacked, suffers disk failures, or other catastrophes. Believe me, a little money spent on an extra machine will save you thousands in labor and headaches if the worst should happen. Your redundant machine should be configured so you can make an easy switch from one to the other and it does not have to be a top-of-the-line server, either. It just needs to be powerful enough to handle the load until the main server can come back in service.

  • A firewall to protect your internal network. Your Web server should be have a hardened operating system with all the necessary security patches so that it will be resistant to attack. But, you don’t want to put the Web server behind the firewall because the firewall would slow down traffic too much. You place the Web server in front of the firewall so that traffic going from your Web server to your internal site is protected from malicious tricks and treats. You can build a firewall using freeware tools or you can purchase a commercial firewall. Whichever the case, the computer you use should be used as the firewall and nothing else.

  • A key server/certificate server to issue keys and Digital Certificates that SSL needs to operate. This server is on the inside of the network; behind the firewall. While most web servers are capable of handling these transactions themselves, a separate server is a good idea if you expect heavy traffic on your Web server. Having a separate key server gives you an added layer of security because it makes it harder for someone to hack your system and find your keys.

  • A database server to hold all the data for the Web server: product pictures, product descriptions, inventory, pricing and orders, customer personal and payment information, and so on. Essentially this is the server that will handle all the back-office type operations that a person would handle if this were a real store. This information should never be on the same server as the Web server and, because your business is highly dependent upon this data, the database should be behind the firewall and heavily protected with access controls and other security measures.

  • A back-up device/server to store data from the database. This machine may be needed to restore the database, so it must be kept up to date.

  • Cryptographic accelerator cards. This is an optional item and is only necessary when you start receiving more than 300-500 page requests per second on your Web server. Because SSL (and TLS for that matter) have cryptographic functions, that means that a lot of the computer’s processing power is used to generate cryptographic keys. This processing can significantly slow down the response your customer gets when trying to obtain a secure connection. By installing a crypto accelerator on your Web server, that device takes that load off the server’s CPU and the Web site works faster.

The computers I’ve listed and the jobs they do are really just the minimum for an adequate e-commerce site. If you plan on having a really large and complex site with thousands of combinations of choices, then you would require much more than this. Not only that, but you’ll need very talented staff to run it all for you, too. If you don’t expect much traffic or if you don’t have an IT department, you may want to consider outsourcing your e-commerce site to a Co-Lo.

If you buy a total e-commerce solution (what I call “e-commerce in a box”), you will not need all the hardware that I have just mentioned. There are a number of other decisions you will have to make if you decide to outsource your e-commerce site and I cover those next.

The e-commerce manager’s checklist

So you’ve decided that e-commerce is something your business cannot do without. Maybe you’ve decided to do it to keep up with your competition and maybe you even have a new approach to e-commerce that will blow your competition away. Whatever the case, you can’t handle this undertaking blindfolded — there are hundreds of questions and considerations that need to be addressed. I won’t be going into minute detail of all these questions and considerations because that would be better handled in a different book. What I will do, however, is give you the top level decisions that you have to make just to get you on the road to developing your e-commerce site. Figure is in a checklist format for you so you can copy this page and have it with you as you walk through the steps. For each decision I’ll give you the related considerations and consequences.

Figure: The E-Commerce Manager’s Checklist

Question

Answer

The Reason

What do I need to make SSL run on my site?

Three things:

1. SSL Digital Certificates

2. Qualified Domain Name

3. Static IP Address

An SSL Digital Certificate can only be sold to a “real” business. You have to purchase these certificates from established vendors such as Verisign and GTE CyberTrust. An SSL certificate will not work if it is used on a computer with a shared IP address and none of the vendors will sell you certificate if you don’t own the domain name (such as ‘widgets.com’).

Are there different types of SSL Digital Certificates?

Yes. There are “private” SSL Digital Certificates and “shared” SSL Digital Certificates.

“Private” SSL Digital Certificates are only sold to companies that can prove they are real and can only be used on sites that have a fully qualified domain name and a static IP address.

“Shared” SSL Digital Certificates are used when you outsource your e-commerce business to a hosting service or Co-Lo.

How much do SSL digital certificates cost?

The costs for SSL certificates vary greatly. A Verisign certificate for two years will set you back $1595 but a lesser known brand such as Comodo will only cost $199 for three years. Some Certificate Authorities will only charge an annual renewal fee after the initial cost while others are on a strict annual fee. (These fees are for your own, private certificate.)

If you are outsourcing your also e-commerce business to a Co-Lo hosting service, you will probably be “sharing” one of their SSL certificates. This cost is usually disclosed up front and they are much cheaper than having a private SSL certificate.

A lot depends on the reputation of the Certificate Authority and the extra services they provide. There is a very good service and price comparison chart at WhichSSL.. The Web page is www.whichssl.org/content/table/

The WhichSSL site has information on the reputation of the Certificate Authorities and some of the bait and switch games that are played by some Co-Lo hosting services.

Where do I buy SSL digital certificates?

If you are buying a private SSL certificate, you go straight to the vendor’s Web site and place your order online. However, if you are buying more than five certificates, it’s best to contact the vendor directly and negotiate a special price.

If you are using a Co-Lo hosting service, the fee is payable directly to the Co-Lo.

Prices for private SSL certificates are listed on the vendor’s Web site. You can always call the company and try to negotiate your own price, especially if you will be buying a large number of certificates.

If you are outsourcing your e-commerce site, your Co-Lo has already negotiated with a vendor for their certificates and the Do-Lo will pass some of that cost on to you.

What documentation do I need to buy SSL certificates?

1. Corporate documents such as a business license or articles of incorporation.

2. Proof of ownership of your domain name. (A ‘whois’ listing is usually sufficient if it is listed under your company’s name.)

An SSL Digital Certificate is a document that testifies that you are who you are. No company in their right mind will sell you a certificate without asking you for proof of identity.

In this way, the Certificate Authorities are protecting themselves and you against fly-by-night companies who set up shop, take your money, and disappear.

Do I need any special HTML coding in my Web pages to make the SSL certificates work?

Yes, but it’s not very difficult to code the link to start an SSL session. A typical hypertext link to begin an SSL session will look something like this: <AHREF=”https://www. yourdomain.com/ orderpage.htm”> Go SSL Name </a>. Note that the page begins with “https” and not plain old “http.”

The coding to begin and end an SSL session is not difficult, but you will also need the coding necessary to handle the ordering and that is much more difficult and requires very experienced staff. The code needs to be written in a way that guarantees security and privacy.

On the other hand, there are some very good “shopping cart” type programs that have the SSL coding included. If you are working with Paypal or similar, they can provide you with the SSL coding you need, too.

You can buy special e-commerce programs that are called “shopping carts” for obvious reasons. If you go that route you need to make sure that the vendor is reputable and that the coding won’t end up sending credit card numbers to someone in China.

If you are going to handle this yourself, you need someone who is experienced in writing CGI (Common Gateway Interface) programs and commands. These programs are especially important because without them your Web server won’t be able to talk to the database.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows