Server Encryption and Authentication

Notes:

Netscape have developed the Secure Sockets Layer to encrypt and authenticate communications between Internet servers. Asymmetric or public key encryption is used to pass a random encryption key between client and server. A symmetric encryption algorithm can then used to encrypt all communications. The authentication of the server owner, and optionally the client, can be assured by way of a signed certificate issued by a trusted third party. There is widespread support for SSL including an add on component for the popular and free Apache Web server.
In order to use SSL the server owner must generate a random public/private key pair using a utility program. This is sent to the certifying authority (e.g. Verisign) along with the server’s domain name, company name and contact information. Proof of identity, such as notarized incorporation certificates must also be submitted. Don’t forget the annual registration fee ($390 for Verisign). The certifying authority will then return a signed certificate that must can be installed on the server.
The symmetric encryption algorithms used are believed to be secure, however a brute force search of the key space can be employed. Weaknesses have occurred with particular implementations. Netscape’s random key generation mechanism could be predicted in early versions of their products. The export version of the symmetric cypher is restricted to an effective key length of 40 bits. A French student1 successfully decrypted a message sent with this level of encryption in 8 days, although he did use 120 workstations on a network to do this. This sort of power could be available to others.
Also be aware of the risks to data that is stored on the server after being decrypted. Master hacker, Kevin Mitnick, stole 20,000 credit card numbers this way. Probably far more than have ever been pinched by cypherpunks. This is one reason for the adoption of the SET standards.

1ref: <URL http://pauillac.inria.fr/~doligez/ssl/announce.txt>