Configuring Your Web Browser for SSL
Most common browsers today, including Netscape, Opera, and Internet Explorer, support both versions 2.0 and 3.0 of SSL. In general, you will want to choose SSL v3.0 over SSL v2.0 because it is a stronger and more secure version. Because the SSL version you use is negotiated between your browser and the server, we recommend disabling SSL v2.0 in your browser and only enabling SSL v3.0. This ensures that negotiations settle on using SSL v3.0; however, it might cause problems at sites that do not support SSL v3.0. If you cannot establish an SSL v3.0 connection with a particular site, you will have to enable SSL v2.0 support in your browser, accepting and understanding that it has known security issues. Let's have a look at the configuration options that Netscape Navigator v.6.1 and Internet Explorer v6.0 offer you.
Netscape Navigator
Netscape Navigator gives you much control over its SSL configurations. Select Edit, Preferences in Netscape, and then select Privacy and Security and then SSL from the Category list on the left, as shown in Figure 9.1. Options are available for enabling and disabling versions of SSL, as well as the different ciphers you want it to use.
Figure 9.1. Netscape offers detailed control over its SSL configurations.
With Netscape Navigator v6.1, you can enable SSL version 2 and version 3, as well as TLS, which is another protocol that is similar to SSL v3.0. In general, most sites support SSL over TLS, but TLS is becoming more popular. Take a look at the SSL warning messages that Netscape gives you. These come across as pop-up windows while you are using your browser. If, for instance, you select the warning option for Entering a Site That Uses Low-Grade Encryption, you will be alerted whenever you visit an SSL site that uses 40-bit keys.
By clicking the Edit Ciphers button, you can configure just which ciphers you want Netscape to support, as shown in Figure 9.2.
Figure 9.2. Netscape gives you complete control over the ciphers it uses for SSL encryption.
Most likely, you will not need to modify the cipher settings for SSL. However, should the need arise, you do have the ability under Netscape. For example, you might decide one day that you want Netscape to use only the strongest encryption available. In this case, you could disable the use of any 40-bit keys and enable only the use of 128-bit keys. Of course, you might run into problems if the Web site you are visiting can't support 128-bit keys, but at least you know you can do it.
Netscape gives you two ways to see that you have an SSL session established with a site. You not only have https:// as the prefix for www.amazon.com, but you also see a padlock icon in the bottom-right corner of the Netscape browser window, as shown in Figure 9.3. (If SSL were not enabled, the padlock would appear unlocked instead of locked.)
Figure 9.3. Netscape displays an icon indicating that SSL is enabled.
You can view the information about the security of this session in two more ways. You can either double-click on the padlock icon to bring up the page information, or you can select View, Page Info. The Page Info window is shown in Figure 9.4.
Figure 9.4. Security information details.
By clicking on the Security tab, you can see what the encryption strength is of your SSL session; in this case, it is RC4 128-bit, which is very strong. You can also click the View button to have a closer look at the site's digital certificate. (You'll read more about digital certificates later.)
Internet Explorer
Internet Explorer does not give you quite the level of control that Netscape gives. In fact, you only get control over the versions of SSL you want to support, and a limited amount of warning messages. Controls for SSL are thrown in under the Advanced configuration options, shown in Figure 9.5. You get there by selecting Tools, Internet Options, and then selecting the Advanced tab.
Figure 9.5. Configuring Internet Explorer for SSL support.
With Internet Explorer 6.0, you can enable or disable support for SSL 2.0, SSL 3.0, and TLS 1.0. It is a good idea to enable support for SSL 3.0 and TLS 1.0 while disabling support for SSL 2.0. Your options for warnings are limited to Warn If Changing Between Secure and Not Secure Mode.
Internet Explorer displays a padlock icon similar to Netscape. When you establish an SSL session, you see a padlock in the bottom-right corner of the window, as shown in Figure 9.6. If you hover the mouse over the icon, you will see the message SSL Secure (128 bit) or 40 bit depending on the strength of encryption you are using.
Figure 9.6. Internet Explorer displays a padlock icon when an SSL session is established.
Double-clicking on the padlock icon brings up the Web site's digital certificate. If you want more details about the encryption strength being used, select File, Properties. You will see a screen similar to Figure 9.7, which tells you the key size and encryption ciphers that are used for your current SSL session.
Figure 9.7. Internet Explorer gives you more details about the SSL session when you select File, Properties.
In the Properties dialog box, it is revealed that www.hushmail.com is using SSL 3.0 for the encrypted session. You also see that the encryption strength is 128 bit, which is very strong encryption. The public key exchange that was used to exchange the secret keys was 1024 bit.