Netscape SSLRef is a reference implementation of the Secure Sockets Layer protocol intended to aid and accelerate developers' efforts to provide advanced security within TCP/IP applications that use SSL. SSLRef consists of a library, distributed in ANSI C source-code form, that can be compiled on a wide variety of platforms and operating systems and linked into an application program. It's free for noncommercial use and available now.

Netscape remains fundamentally committed to supporting open standards in the development of commercial Internet applications. As discussions on these important topics continue, we will periodically publish papers to answer any questions our users might have.

What's security for?
The security features built into Netscape Navigator and the Netscape Commerce Server protect your Internet communications with:

Read on to find out:

  1. Where can I learn about security?
  2. Can I safely transmit personal information such as credit card numbers?
  3. How does Netscape's security technology protect me?
  4. To what degree can SSL security protect me?
  5. How can I tell when security is in effect?
  6. What does the Document Information dialog box tell me?
  7. Are certificates required and where do you get one?
  8. Can one certificate be used on multiple servers?
  9. Do security features impose any limitations on the ability to access sites?

Where can I learn about security?
The Internet security technology developed by Netscape Communications to ensure private and authenticated communications (called SSL, short for Secure Sockets Layer protocol) is an open platform put into the public domain for the Internet community. Netscape Navigator and the Netscape Commerce Server are the first products to offer this nonproprietary technology.

Netscape Navigator Handbook
Look under "Security" in the handbook index to learn about the need for security on the Internet and how to recognize the security features built into Netscape Navigator.

Netscape Data Security
This technical document provides an overview of security implementation and plans from Netscape Communications. You'll find a summary of SSL and details on how Netscape Navigator and Netscape Commerce Server use SSL.

Using RSA Public Key Cryptography
This technical tutorial illustrates the basic tenets employed by Netscape's security technology, including public and private keys, message digests, digital signatures, and certificates. You can also obtain general security information and Netscape Server product security information directly from RSA Data Security, Inc.

The SSL Protocol
This comprehensive, highly technical document is the specification for the Secure Sockets Layer protocol. Appendices include a glossary and a description of potential security attacks.

Can I safely transmit personal information such as credit card numbers?
You can enter your credit card number on a secure (https) Netscape Navigator form and transmit the form over the Internet to a secure Netscape Commerce Server without risk of an intermediary obtaining your credit card information. The security features offered by Netscape Communications technology protect commercial transactions, as well as all other communications, from misappropriation and fraud that could otherwise occur as information passes through Internet computers.

Secure communications does not eliminate all of an Internet user's concerns. For example, you must be willing to trust the server administrator with your credit card number before you enter into a commercial transaction. Security technology secures the routes of Internet communication; security technology does not protect you from unreputable or careless people with whom you might choose to do business.

The situation is analogous to telling someone your credit card number over the telephone. You may be secure in knowing that no one has overheard your conversation (privacy) and that the person on the line works for the company you wish to buy from (authentication), but you must also be willing to trust the person and the company.

Server administrators must take additional precautions to prevent security breaches. To protect your information, they must maintain physical security of their server computers and control access to software passwords and private keys.

How does Netscape's security technology protect me?
The security features built into Netscape Navigator and Netscape Commerce Server protect your Internet communications with:

Without thorough security, information transmitted over the Internet is susceptible to fraud and other misuse by intermediaries. Information traveling between your computer and a server uses a routing process that can extend over many computer systems. Any one of these computer systems represents an intermediary with the potential to access the flow of information between your computer and a trusted server. You need security to make sure that intermediaries cannot deceive you, eavesdrop on you, copy from you, or damage your communications. The Internet does not provide built-in security.

The SSL protocol delivers server authentication, data encryption, and message integrity. SSL is layered beneath application protocols such as HTTP, Telnet, FTP, Gopher, and NNTP, and layered above the connection protocol TCP/IP. This strategy allows SSL to operate independently of the Internet application protocols. With SSL implemented on both the client and server, your Internet communications are transmitted in encrypted form, ensuring privacy.

To what degree can SSL security protect me?
With Netscape's security technology, information you send can be trusted to arrive privately and unaltered to the server you specify (and no other). To evaluate the strategic and quantitative implications of the SSL implementation of certification and public key technology, consult The SSL Protocol specification.

SSL uses authentication and encryption technology developed by RSA Data Security Inc. For example, Netscape Navigator's export implementation of SSL (U.S. government approved) uses a 40-bit key size for the RC4 stream encryption algorithm. The encryption established between you and a server remains valid over multiple connections, yet the effort expended to defeat the encryption of one message cannot be leveraged to defeat the next message.

A message encrypted with 40-bit RC4 takes on average 64 MIPS-years to break (a 64-MIPS computer needs a year of dedicated processor time to break the message's encryption). The 128-bit U.S. domestic version provides protection exponentially more vast. The effort required to break any given exchange of information is a formidable deterrent. Server authentication uses RSA public key cryptography in conjunction with ISO X.509 digital certificates.

Netscape Navigator and Netscape Commerce Server deliver server authentication using signed digital certificates issued by trusted third parties known as certificate authorities. A digital certificate verifies the connection between a server's public key and the server's identification (just as a driver's license verifies the connection between your photograph and your personal identification). Cryptographic checks, using digital signatures, ensure that information within a certificate can be trusted.

How can I tell when security is in effect?
Netscape Navigator identifies secure documents in several ways. You can tell whether a document comes from a secure server by looking at the location (URL) field. If the URL begins with https:// (instead of http://), the document comes from a secure server. You need to use https:// for HTTP URLs with SSL and http:// for HTTP URLs without SSL.

You can also verify the security of a document by examining the security icon in the bottom-left corner of the Netscape Navigator window and the colorbar across the top of the content area. The icon consists of a doorkey on a blue background to show secure documents and a broken doorkey on a gray background to show insecure documents. The colorbar across the top of the content area is blue for secure and gray for insecure.

A mixed document containing secure and insecure information is displayed as secure with insecure information replaced by a mixed security icon. Some servers may permit you to access documents insecurely (using http://) permitting you to view mixed documents without icon substitution.

More detailed security information can be found by choosing the File/Document Information menu item. Several configurable notification dialog boxes inform you when you are entering or leaving a secure space, viewing a secure document that contains insecure information, and using an insecure submission process. You'll always be warned if a secure URL is redirected to an insecure location, or if you're submitting via a secure form using an insecure submission process.

What does the Document Information dialog box tell me?
Choosing the File/Document Information menu item produces a dialog box with a document's title, location (URL), date of last modification, character set encoding, and the security status of a document, Secure documents specify the type of encryption protecting the document and the version, serial number, issuer, and server subject of the certificate backing the document.

Encryption Key
States the type of public key supported. For example, the high-grade encryption key for U.S. domestic use only (RC4, 128-bit) refers to the 128-bit key size for the RC4 stream encryption algorithm.

Subject (server id)
The certification request process requires that each server administrator supply an e-mail address and certain identifying information. Identifying information may include:
  • Country (C): two-character country code
  • State or Province (ST): unabbreviated state/province name
  • Organization (O): legal, registered organization name
  • Organizational Unit (OU): optional department name
  • Locality (L): city the organization resides or is registered in
  • Common Name (CN): the server's fully qualified host name (such as: hostname.netscape.com)

Issuer (certifier id)
Identifies the certificate authority responsible for issuing the certification is identified. Identifying information is presented using the same abbreviations as those used to identify the server (C, for country, and so on).

Are certificates required and where do you get one?
To operate using security features, Netscape Commerce Server requires a digitally signed certificate. Without a certificate, the server can only operate insecurely. If you are a server administrator and want to obtain a signed certificate, you need to submit a certificate request to a certificate authority, a third-party organization that issues certificates, and pay an associated service fee.

Netscape Communications has engaged RSA Certificate Services, a division of RSA Data Security, Inc., to issue certificates to Netscape Server product customers and will engage other certificate authorities over time. The process to obtain a certificate is explained in the Netscape Commerce Server manual. During the certificate request process, your server software generates a public key/private key pair and you choose a distinguished name. On-line forms guide you through the process of submitting the form to RSA.

RSA verifies the authenticity of each certificate request (making sure requesters are who they claim to be). The approval process helps protect you, your organization, and the certificate authority. Upon approval, RSA digitally signs the request and returns the unique digitally signed certificate to you through e-mail. You can then install the signed, valid certificate and enable security. You'll need to establish adequate precautions to maintain the integrity of the signed certificate and your private key.

Can one certificate be used on multiple servers?
Technically, one certificate can be used on multiple servers, however risks are involved that would discourage this choice in many circumstances. If the same certificate is used on multiple servers, any compromise of one server's public key and private key pair endangers information on the other servers.

(Certificates are protected by public and private key pairs linked by a powerful cryptographic algorithm. These keys have the ability to encrypt and decrypt information. No one else's keys can decipher messages to you encrypted with your public key. And no one else's keys can be used to pose as you by sending messages encrypted with your private key.)

Similar risks would be incurred if you were to choose to secure your house, office, car, safety deposit box, and bike with the same key. You would only have to carry around a single key, but you would not have the flexibility to provide access to one item without providing access to all items. If security was compromised for one item, it would also be compromised for other items.

Multiple servers that are running on the same piece of hardware can technically use the same certificate. However, as your software installations expand, the need for different levels of security and individual keys increases. The security requirements for information served at remote locations or on separate hardware are best satisfied by unique certificates.

Do security features impose any limitations on the ability to access sites?
The security protocol works as an adjunct to other protocols without limiting access capabilities. You can use Netscape Navigator to bring either secure or insecure documents. Nor does security limit Netscape's Usenet news or electronic mail abilities.

If a document that is otherwise secure contains information that is insecure, the insecure information is replaced by a mixed security icon. However, a server may permit you to bypass this security feature by accessing the mixed security document through the insecure http protocol instead of the secure https protocol. The security aspects of SSL protect you from insecure transmissions, but do not limit your ability to receive insecure transmissions.

On-line forms can be secure if the submit action is an https:// URL to a secure server. Netscape Navigator uses dialog boxes to inform you about the security status of the submission process when you submit a form.

You can save a secure document (though secure documents are not cached to disk among sessions). You can also view the HTML source of a secure document. Security affects the transmission of a document without affecting your ability to manipulate the document.

Corporate Sales: 415/937-2555; Personal Sales: 415/937-3777; Federal Sales: 415/937-3678
If you have any questions, please visit Customer Service.

Copyright © 1996 Netscape Communications Corporation