Monday, January 21, 2013

ASP.NET Security: Secure Sockets Layer (SSL)

SSL technology encrypts communication between a client and a website. Although it slows performance, it’s often used when private or sensitive information needs to be transmitted between an authenticated user and a web application. Without SSL, any information that’s sent over the Internet, including passwords, credit card numbers, and employee lists, is easily viewable to an eavesdropper with the right network equipment.

Even with the best encryption, you have another problem to wrestle with—just how can a client be sure a web server is who it claims to be? For example, consider a clever attacker who uses some sort of IP spoofing to masquerade as Even if you use SSL to transfer your credit card information, the malicious web server on the other end will still be able to decrypt all your information seamlessly. To prevent this type of deception, SSL uses certificates.

The certificate establishes the identity, and SSL protects the communication. If a malicious user abuses a certificate, the certificate authority can revoke it. To use SSL, you need to install a valid certificate. You can then set IIS directory settings specifying that individual folders require an SSL connection. To access this page over SSL, the client simply types the URL with a preceding https instead of http at the beginning of the request.

In your ASP.NET code, you can check whether a user is connecting over a secure connection using code like this:

protected void Page_Load(Object sender, EventArgs e)
 if (Request.IsSecureConnection)
lblStatus.Text = "This page is running under SSL.";
lblStatus.Text = "This page isn't secure.<br />";
lblStatus.Text += "Please request it with the ";
lblStatus.Text += "prefix https:// instead of http://";

No comments:
Write comments
Recommended Posts × +