DOCSLIB.ORG

Verisign Solutions for Securing Multiple Web Server and Domain Configurations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Verisign Solutions for Securing Multiple Web Server and Domain Configurations White Paper VeriSign Solutions for Securing Multiple Web Server and Domain Configurations VERISIGN SOLUTIONS FOR SECURING MULTIPLE WEB SERVER AND DOMAIN CONFIGURATIONS As organizations and service providers enhance their Web sites and extranets with newer technology to reach larger audiences, server configurations have become increasingly complex. They must now accommodate multiple domains and subdomains, load balancing requirements, and SSL digital certificates to support authentication and encryption capabilities. This paper covers the usage of VeriSign SSL certificates for organizations securing multiple Web servers and/or multiple domains and subdomains. Executive Summary For the Internet to fulfill its potential as a vehicle for commerce and electronic communications there must be a basic and commonly accepted framework for trust and security. Today, SSL certificates form that basis in most e-commerce applications, providing the following to end-users: · The Right Site: Assurance that users are indeed doing business with a particular site · The Right Company: Positive identification of the organization with which users are communicating · Company’s Ongoing Existence: Representations regarding the existence of the organization and that it is a legitimate business · Privacy: Encryption of information exchanged online To provide these functions, SSL certificates must be used in particular ways in specified configurations. Basic trust principles require careful consideration in using SSL certificates. This document clarifies the proper use of SSL certificates in special network configurations, including: 1. Redundant server backups 2. Organizations running multiple servers to support multiple site names 3. Organizations running multiple servers to support a single site name 4. Service providers using virtual and shared hosting configurations VeriSign’s recommendations for each of these scenarios involve a unique certificate per domain name per server where feasible. In shared hosting environments, VeriSign requires that service providers clearly understand both the implications involved with allowing third parties to use their certificate for securing e-commerce transactions and the limitations placed on the benefits that merchants would normally receive as part of a regular SSL certificate offering from VeriSign. To specifically address the needs of service providers with large deployments of shared hosting customers, VeriSign will soon offer a Shared SSL authentication service for individual merchants and domains that will operate from a single shared certificate. I. VeriSign Server IDs: Encryption and Authentication VeriSign is the leading supplier of trust services for the Internet and boasts the industry’s most thorough authentication practices available, as detailed in its Certification Practice Statement (www.verisign.com/repository/cps/). VeriSign is the only certification authority (CA) to pass the rigorous SAS 70 Type II Audit, which is performed annually by the consulting firm KPMG. VeriSign has been issuing SSL certificates, also called VeriSign Server IDs, since 1995. As a result, its authentication practices have evolved due to the experience of issuing nearly a quarter of a million Server IDs. VeriSign’s practices ensure that sites utilizing Server IDs can offer their Web site visitors the highest degree of security and assurances when communicating over the Internet and passing sensitive information to their Web site or server. Once an organization has satisfied VeriSign’s authentication requirements, VeriSign will issue the Server ID, which provide two essential security components: encryption and authentication. Encryption VeriSign Server IDs enable Secure Sockets Layer (SSL) technology, which encrypts communications between a Web server and a customer’s browser. SSL ensures that all communications between the client and server are virtually impenetrable to outsider attack and unavailable for any third party to access, intercept, or monitor. Authentication An equally important feature of VeriSign Server IDs is that they assure end users of the identity of the organization to which they will be providing (and hence entrusting) sensitive data. Authentication assures Internet users that they are indeed communicating with the company (and domain name) listed in the certificate, not with an imposter spoofing the Web site to steal information from unsuspecting Web site customers. Authentication also allows end users to know precisely to whom they are entrusting their confidential information. For e-commerce Web sites, authentication provides end users with the name of the company that will be responsible for processing their payment and fulfilling their order. VeriSign enables this trust between Internet merchants and their customers by following very rigorous validation procedures when issuing Server IDs. These procedures include verifying the following facts: · The company owns or has the right to use the domain name of its Web site. · The company has provided proof that it has the right to do business under the name listed in the Server ID. · The individual requesting the Server ID is authorized to a request the certificate on behalf of the organization. 3 Note: Additional restrictions are imposed on users requesting strong encryption products (128-bit SSL), as these are subject to regulations by the United States Bureau of Export Administration. VeriSign also offers its customers the NetSure Protection Plan with each Server ID. NetSure is an extended warranty program that protects VeriSign Server ID customers against economic loss resulting from the theft, corruption, impersonation, or loss of use of the VeriSign Server ID. NetSure is backed by Lloyd’s of London, one of the world's largest, A-rated insurance confederations. VeriSign Server IDs each come with up to $250,000 of NetSure Protection. VeriSign Server IDs provide the basis for trust on the Internet. VeriSign Server IDs were the first certificates commercially used on the Internet, and they are now in use at hundreds of thousands of Web sites. The importance of certificates is growing at an extremely fast rate. In fact, many state and national governments have already passed legislation that make digital signatures created with digital certificates issued through a licensed certification authority the equivalent of hand-written signatures. VeriSign is currently licensed as a CA in eight states in the United States as of March 2000. II. Multiple SSL Certificate Implementations Several important elements in a certificate help ensure security and authenticity, as shown in Figure 1. Figure 1: Important Elements in a Certificate 4 These elements contribute three fundamental trust principles to digital certificates. 1. Client applications, such as Web browsers, must be able to verify that the site the user is visiting is the site that has been certified. In practice, this means that the URL of the site matches the common name of the certificate that the site presents to the client application (usually, the site’s fully qualified domain name, such as www.samplecompany.com). 2. There must be tight binding between the organization listed in the certificate and the organization running the site. In practice, this means that the organization listed in the certificate should have the right to use the domain name in the common name and should be the entity with which the client is ultimately communicating or conducting business. It also means that the organization must have authorized the issuance of the certificate for a particular site. 3. There must be strong protection for the private key that corresponds to the certificate. In an SSL session, the client will use the public key in the certificate to send information to the server, which will ultimately be used to secure the session. Because any information encrypted with the server’s public key can be decrypted using the server’s private key, any configuration that compromises the server’s private key must be avoided. Typically, implementing digital certificates for SSL is a fairly straightforward process, as one SSL certificate is required per domain name per Web server. However, some SSL certificate implementations frequently cause confusion and sometimes violate one or more of the above fundamental principles of secure e-commerce. Private key security is fundamental to the security of SSL. Using the same certificate on multiple physical servers requires generating multiple copies of the same private key and storing those keys in multiple locations. When a private key is created and always stored in a single server, the key is reasonably well contained and auditable. When private keys are moved between servers, either by network or diskette, a new set of exposures and audit problems are created, increasing the likelihood of something going wrong and complicating the process of tracing who had access to a key in the event of compromise. Following this logic, the chance of a problem arising increases significantly in relation to the number of servers in a given deployment. Therefore, VeriSign recommends that unique private keys are used on every server in a multi-server deployment, and that the private keys are generated from the hosting server. RSA announced prescriptions for applications that are vulnerable to the adaptive chosen ciphertext attack on PKCS #1 v1.5. Prescription #1 included the recommendation that “different servers should have different key pairs.” See http://www.rsa.com/rsalabs/pkcs1/prescriptions.html,
Load more

Recommended publications
  • Ispconfig Documentation Ispconfig Documentation I
    ISPConfig Documentation ISPConfig Documentation I Table of Contents General...............................................................................................................................................1 1 What is ISPConfig?...............................................................................................................1 2 Terms and structure of the manual.......................................................................................1 3 Installation/Upgrade/Deinstallation.......................................................................................1 3.1 Installation....................................................................................................................1 3.2 Upgrade.......................................................................................................................1 3.3 Deinstallation................................................................................................................2 4 Login and Logout..................................................................................................................2 I Administrator Manual......................................................................................................................3 1 General.................................................................................................................................3 1.1 Login and Password.....................................................................................................3 1.2 ISPConfig Interface
    [Show full text]
  • Installation Guide
    install_guide.book Page i Monday, May 11, 2015 8:48 PM Installation Guide Installation Guide Schrödinger Software Release 2015-2 Schrödinger Press install_guide.book Page ii Monday, May 11, 2015 8:48 PM Installation Guide Copyright © 2015 Schrödinger, LLC. All rights reserved. While care has been taken in the preparation of this publication, Schrödinger assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. Canvas, CombiGlide, ConfGen, Epik, Glide, Impact, Jaguar, Liaison, LigPrep, Maestro, Phase, Prime, PrimeX, QikProp, QikFit, QikSim, QSite, SiteMap, Strike, and WaterMap are trademarks of Schrödinger, LLC. Schrödinger, BioLuminate, and MacroModel are registered trademarks of Schrödinger, LLC. MCPRO is a trademark of William L. Jorgensen. DESMOND is a trademark of D. E. Shaw Research, LLC. Desmond is used with the permission of D. E. Shaw Research. All rights reserved. This publication may contain the trademarks of other companies. Schrödinger software includes software and libraries provided by third parties. For details of the copyrights, and terms and conditions associated with such included third party software, use your browser to open third_party_legal.html, which is in the docs folder of your Schrödinger software installation. This publication may refer to other third party software not included in or with Schrödinger software ("such other third party software"), and provide links to third party Web sites ("linked sites"). References to such other third party software or linked sites do not constitute an endorsement by Schrödinger, LLC or its affiliates. Use of such other third party software and linked sites may be subject to third party license agreements and fees.
    [Show full text]
  • Ispconfig 3 Manual]
    [ISPConfig 3 Manual] ISPConfig 3 Manual Version 1.0 for ISPConfig 3.0.3 Author: Falko Timme <[email protected]> Last edited 09/30/2010 1 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. You may keep backup copies of the manual in digital or printed form for your personal use. All rights reserved. This copy was issued to: Thomas CARTER - [email protected] - Date: 2010-11-20 [ISPConfig 3 Manual] ISPConfig 3 is an open source hosting control panel for Linux and is capable of managing multiple servers from one control panel. ISPConfig 3 is licensed under BSD license. Managed Services and Features • Manage one or more servers from one control panel (multiserver management) • Different permission levels (administrators, resellers and clients) + email user level provided by a roundcube plugin for ISPConfig • Httpd (virtual hosts, domain- and IP-based) • FTP, SFTP, SCP • WebDAV • DNS (A, AAAA, ALIAS, CNAME, HINFO, MX, NS, PTR, RP, SRV, TXT records) • POP3, IMAP • Email autoresponder • Server-based mail filtering • Advanced email spamfilter and antivirus filter • MySQL client-databases • Webalizer and/or AWStats statistics • Harddisk quota • Mail quota • Traffic limits and statistics • IP addresses 2 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH.
    [Show full text]
  • Internet Domain Name System
    IINNTTEERRNNEETT DDOOMMAAIINN NNAAMMEE SSYYSSTTEEMM http://www.tutorialspoint.com/internet_technologies/internet_domain_name_system.htm Copyright © tutorialspoint.com Overview When DNS was not into existence, one had to download a Host file containing host names and their corresponding IP address. But with increase in number of hosts of internet, the size of host file also increased. This resulted in increased traffic on downloading this file. To solve this problem the DNS system was introduced. Domain Name System helps to resolve the host name to an address. It uses a hierarchical naming scheme and distributed database of IP addresses and associated names IP Address IP address is a unique logical address assigned to a machine over the network. An IP address exhibits the following properties: IP address is the unique address assigned to each host present on Internet. IP address is 32 bits 4bytes long. IP address consists of two components: network component and host component. Each of the 4 bytes is represented by a number from 0 to 255, separated with dots. For example 137.170.4.124 IP address is 32-bit number while on the other hand domain names are easy to remember names. For example, when we enter an email address we always enter a symbolic string such as [email protected]. Uniform Resource Locator URL Uniform Resource Locator URL refers to a web address which uniquely identifies a document over the internet. This document can be a web page, image, audio, video or anything else present on the web. For example, www.tutorialspoint.com/internet_technology/index.html is an URL to the index.html which is stored on tutorialspoint web server under internet_technology directory.
    [Show full text]
  • Implementation of Embedded Web Server Based on ARM11 and Linux Using Raspberry PI
    International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-3 Issue-3, July 2014 Implementation of Embedded Web Server Based on ARM11 and Linux using Raspberry PI Girish Birajdar Abstract— As ARM processor based web servers not uses III. HARDWARE USED computer directly, it helps a lot in reduction of cost. In this We will use different hardware to implement this embedded project our aim is to implement an Embedded Web Server (EWS) based on ARM11 processor and Linux operating system using web server, which are described in this section. Raspberry Pi. it will provide a powerful networking solution with 1. Raspberry Pi : The Raspberry Pi is low cost ARM wide range of application areas over internet. We will run web based palm-size computer. The Raspberry Pi has server on an embedded system having limited resources to serve microprocessor ARM1176JZF-S which is a member of embedded web page to a web browser. ARM11 family and has ARMv6 architecture. It is build Index Terms— Embedded Web Server, Raspberry Pi, ARM, around a BCM2835 broadcom processor. ARM processor Ethernet etc. operates at 700 MHz & it has 512 MB RAM. It consumes 5V electricity at 1A current due to which power I. INTRODUCTION consumption of raspberry pi is less. It has many peripherals such as USB port, 10/100 ethernet, GPIO, HDMI & With evolution of World-Wide Web (WWW), its composite video outputs and SD card slot.SD card slot is application areas are increasing day by day. Web access used to connect the SD card which consist of raspberry linux functionality can be embedded in a low cost device which operating system.
    [Show full text]
  • Domain Name System System Work?
    What is the DNS? - how it works Isaac Maposa | Dev Anand Teelucksingh | Beran Gillen Community Onboarding Program | 11 March 2017 Agenda 1 2 3 What is the Domain Structure of the How does the Name System? Domain Name Domain Name System System Work? 4 5 6 Who makes the Stakeholders in the Engage with ICANN Domain Name Domain Name ??? System Work? System. | 2 What is the Domain Name System (DNS)? The Internet, what is it..? ● The Internet is a network of networks that interconnects devices to exchange information. ● In order to “talk” to each other, all of these devices must have a unique numerical address called an Internet Protocol address or IP Address. An example of an IP address is 94.127.53.132 ● When you visit a website from your browser, you are requesting the website from your device’s IP address to the web server’s IP address. ● However, you don’t type in the ip address of the web server, rather the domain name of for example www.google.com ● In so doing, you have queried the DNS. ● So what is this DNS???? | 4 What is the Domain Name System? ● The Domain Name System or DNS overcomes this problem of remembering IP addresses by mapping domain names to IP addresses. ● While this sounds like a phone book, it is not a centralised database. ● The DNS is a distributed database across a hierarchy of networks of servers and provide ways for devices and software (like browsers and email) to query the DNS to get an IP address. ● Domain names must be unique.
    [Show full text]
  • MPKI for SSL Guide
    Managing SSL Security in Multi-Server Environments VeriSign’s Easy-to-Use Web-Based Service Speeds SSL Certificate Management and Cuts Total Cost of Security ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ A SMART STRATEGY FOR MANAGING SSL VeriSign MPKI for SSL SECURITY ON MULTIPLE SERVERS Simple: Web-based Protecting the confidentiality and integrity of sensitive service for managing information transmitted over your organization’s network is a all your SSL crucial step to building customer confidence, securely certificates—no interacting with business partners and complying with new upfront hardware or privacy regulations. Your company’s requirements may include software to install securing information exchange between Web servers and Efficient: Enroll, clients, server-to-server, and among other networking devices approve, issue, reject, such as server load balancers or SSL accelerators. For a revoke, renew with a complete solution, cross-network security must protect servers few clicks of a mouse facing both the Internet and private intranets. Time saving: Issue 1 SSL certificates on Secure Sockets Layer (SSL ) is the world’s standard technology demand used to protect information transmitted over the Web with the ubiquitous HTTP protocol. SSL protects against site spoofing, Secure: Certificate- data interception and tampering. Support for SSL is built into secured administrator all major operating systems, Web applications and server account access hardware. Leveraging both the powerful encryption of SSL and Value: Provides the confidence instilled by VeriSign’s authentication procedures, discounted, bulk your company can immediately protect sensitive data purchases of SSL transmitted between your servers and your customers, certificates employees and business partners. Managed PKI for SSL is VeriSign’s easy to use and flexible Web-based service for deploying and managing multiple SSL certificates across the organization.
    [Show full text]
  • WHY USE a WIKI? an Introduction to the Latest Online Publishing Format
    WHY USE A WIKI? An Introduction to the Latest Online Publishing Format A WebWorks.com White Paper Author: Alan J. Porter VP-Operations WebWorks.com a brand of Quadralay Corporation [email protected] WW_WP0309_WIKIpub © 2009 – Quadralay Corporation. All rights reserved. NOTE: Please feel free to redistribute this white paper to anyone you feel may benefit. If you would like an electronic copy for distribution, just send an e-mail to [email protected] CONTENTS Overview................................................................................................................................ 2 What is a Wiki? ...................................................................................................................... 2 Open Editing = Collaborative Authoring .................................................................................. 3 Wikis in More Detail................................................................................................................ 3 Wikis Are Everywhere ............................................................................................................ 4 Why Use a Wiki...................................................................................................................... 5 Getting People to Use Wikis ................................................................................................... 8 Populating the Wiki................................................................................................................. 9 WebWorks ePublisher and Wikis
    [Show full text]
  • A Distributed, Wikipedia Based Web Application Benchmark
    WikiBench: A distributed, Wikipedia based web application benchmark Master thesis by Erik-Jan van Baaren Student number 1278967 [email protected] Under the supervision of: Guillaume Pierre Guido Urdaneta Vrije Univesiteit Amsterdam Department of Computer Science May 13, 2009 Abstract Many different, novel approaches have been taken to improve throughput and scalability of distributed web application hosting systems and relational databases. Yet there are only a limited number of web application bench- marks available. We present the design and implementation of WikiBench, a distributed web application benchmarking tool based on Wikipedia. Wik- iBench is a trace based benchmark, able to create realistic workloads with thousands of requests per second to any system hosting the freely available Wikipedia data and software. We obtained completely anonymized, sam- pled access traces from the Wikimedia Foundation, and we created software to process these traces in order to reduce the intensity of its traffic while still maintaining the most important properties such as inter-arrival times and distribution of page popularity. This makes WikiBench usable for both small and large scale benchmarks. Initial benchmarks show a regular day of traffic with its ups and downs. By using median response times, we are able to show the effects of increasing traffic intensities on our system under test. Contents 1 Introduction 2 2 Related Work 4 2.1 TPC-W . 4 2.2 Web Polygraph . 6 3 System Model 8 3.1 Requirements . 9 3.2 WikiBench design . 11 3.3 TraceBench Design . 15 3.4 WikiBench Workflow . 16 4 Workload Creation 19 4.1 Changing the Request Rate .
    [Show full text]
  • Web Application Hosting in the AWS Cloud AWS Whitepaper Web Application Hosting in the AWS Cloud AWS Whitepaper
    Web Application Hosting in the AWS Cloud AWS Whitepaper Web Application Hosting in the AWS Cloud AWS Whitepaper Web Application Hosting in the AWS Cloud: AWS Whitepaper Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Web Application Hosting in the AWS Cloud AWS Whitepaper Table of Contents Abstract ............................................................................................................................................ 1 Abstract .................................................................................................................................... 1 An overview of traditional web hosting ................................................................................................ 2 Web application hosting in the cloud using AWS .................................................................................... 3 How AWS can solve common web application hosting issues ........................................................... 3 A cost-effective alternative to oversized fleets needed to handle peaks ..................................... 3 A scalable solution to handling unexpected traffic
    [Show full text]
  • Web Manager Lite User's Guide
    W EB MANAGER LITE USER GUIDE WEB MANAGER LITE | User Guide Summary Introduction................................................................................................................................................. 4 Purpose of this manual ............................................................................................................................ 4 Intended recipients .................................................................................................................................. 4 System requirements ............................................................................................................................... 4 Program Description .................................................................................................................................... 6 Home page .............................................................................................................................................. 6 Operation of the application ........................................................................................................................ 6 Connect Controllers/Stations ................................................................................................................... 6 Select a station......................................................................................................................................... 7 Station in Monitor Mode .........................................................................................................................
    [Show full text]
  • Ispconfig Documentation Ispconfig Documentation I
    ISPConfig Documentation ISPConfig Documentation I Table of Contents III Customer Manual...........................................................................................................................1 1 General.................................................................................................................................1 1.1 Login and Password.....................................................................................................1 1.2 Customer Interface.......................................................................................................1 1.3 ISPConfig Privileges for Customers.............................................................................1 1.4 Saving..........................................................................................................................2 1.5 Changing the ISPConfig Password.............................................................................2 1.6 Language Settings.......................................................................................................3 1.7 Display of Passwords in the ISPConfig System...........................................................3 1.8 Help..............................................................................................................................4 2 Sites......................................................................................................................................5 2.1 Basic Data of a Site......................................................................................................5
    [Show full text]