Internet Web-based commerce ("E-Commerce") relies for security on a
hybrid symmetric/public key system called SSL,
originally developed by
Netscape, but widely adopted by others. SSL adds a new protocol
layer between the application and transport (TCP) layers. It
provides the following:
Authentication of identity of server, using an X.509
site certificate as above. Recall that the sample
certificates contain the domain name of their
owner -- this can be checked against the sitename which supplied
the certificate, so that we know that we are, for example,
connecting to www.amazon.com and not
hackers-r-us.com masquerading as them.
Optional (and currently rarely used) authentication of client.
The protocol has provision for the initiating client to identify
him/herself with a personal certificate. This has
potential usefulness in future (so-called) "Business-to-business"
E-Commerce applications.
Encryption of HTTP session, whereby all
subsequent communication between the client and server is secured
using a negotiated symmetric session key.