If an application transmits sensitive information over the Web, an encrypted connection should be provided between the browser and the web server. The information that would warrant an encrypted connection includes:
-
Sensitive information held on the server; e.g., commercial-in-confidence documents and bank account balances
-
User credentials-usernames and passwords-used to gain access to sensitive services such as online banking or the administration of the winestore
-
Personal details collected from the user, such as credit card numbers
-
Session IDs-used by the server to link HTTP requests to session variables
In this section we focus on the common method of encrypting data sent over the Web using the Secure Sockets Layer. We discuss the basic mechanics of SSL in this section, and provide an installation and configuration guide for SSL and Apache as part of Appendix A.
This section isn't designed to cover the enormous topic of encryption. We limit our brief discussion to the features of SSL, and how SSL can protect web traffic. More details about cryptographic systems can be found in the references listed in Appendix E.