To make it more difficult for unauthorized persons to interfere with your day-to-day communications or access your system, follow these steps:
Click one of the following topics to learn more about:
Concepts and Terms Concerning Encryption, Digital Signatures, and
More
This section describes terms and concepts you must know in order to make your system and correspondence more secure.
Electronic security requires that
While you cannot always ensure your communications are secure, you can use certificates, encryption, and the Security Info window to make it less likely you or others compromise security.
A certificate is a tamper-resistant file that identifies the individual or organization to whom it is issued and provides you with tools so you can better secure communications with others. Navigator uses certificates to encrypt information. You can use a certificate to check the identity of the certificate's owner. You should trust a certificate only if you trust the person or organization that issued it.
A certificate's contents depend on what level of certificate it is. A basic certificate contains:
You collect and distribute certificates when you send and receive signed messages.
Encryption is scrambling information through the use of a public key, which is included in a certificate you collect from a correspondent.
When you encrypt an outgoing message, you use your recipient's public key to scramble the message in such a way that only your intended recipients can unscramble the message. Specifically, a recipient's certificate contains a public key.
A correspondent uses your certificate in the same way when encrypting messages to you. You cannot read an encrypted message or display an encrypted web page without decrypting it.
To encrypt a message, you must have a valid certificate from each and every recipient in the message's address list. You cannot encrypt the message for only selected recipients.
Decryption is unscrambling encrypted information transmitted to you.
When you open an encrypted message or connect to an encrypted web page, you use your private key to decrypt and display the message or web page contents.
You cannot read an encrypted message or display an encrypted web page without decrypting
it.
You cannot decrypt messages or web pages:
Keep your certificates and computer safe. Anyone accessing your certificates or key database on your computer can decrypt your messages and sign outgoing messages.
When you obtain your certificate for a signing authority, you generate public and private keys:
Certificate signers are the companies or organizations that issue and authorize certificates. You can use the Security Info window to contact signers of certificates you hold. You can contact signers when you need to obtain a certificate for yourself, update certificates, and validate certificates.
Use the Signers, Certificate panel to view a list of certificate issuers you can contact.
A server can encrypt a web page when transmitting the page data to your browser. Your browser decrypts the message just before displaying it for you. After you receive, decrypt, and view the page, it resides on your computer in its unencrypted form.
On the Security window, use the:
Security Info panel to display information about an encrypted web page you are connecting to.
Navigator panel to configure your defaults for accessing encrypted web pages.
Web Sites panel to display information about certificates you have already accepted from Web sites.
Encrypted messages you receive are stored in their encrypted state. You decrypt messages only when you open them.
Follow these rules to avoid interruptions in accessing your messages:
Some web pages make available a special type of program called a Java applet. You may need to use a Java applet in order to make use of an online service. Java applets, like email messages and web pages, can carry and deliver a certificate, which can help you in deciding whether you want to use an applet and give it access to your computer.
Use the Java applets panel to set levels of access you are willing to grant Java applets.
Use the Software Developers Certificates panel to display certificates you have already collected from Java applets.
Use the Security Info panel to display information about an applet when it requests access to your computer.
Check the security status of your current task by using the Security Info window:
The Security Info panel displays the status of a certificate-based task that is currently in progress. Certificate-based tasks are:
Some Security Information panel messages require you to make a decision and provide input, while other panel messages report the success or failure of a task.
You cannot decrypt messages on any computer but the one to which your certificates were issued, unless you export your certificates. If you are using a computer other than the one you used when you obtained your certificates, you must import the certificates you've exported from the original computer.
Update your personal certificate. If you are using the original computer on which your expired certificate was issued, after contacting the certificate issuer, you can regenerate a valid private key and can then decrypt your current messages.
Warning: Once the browser displays an encrypted page, your disk cache retains an unencrypted copy of the page in an unencrypted form. Anyone having access to your Netscape disk cache can view the contents of the page.
You cannot decrypt messages on any computer but the one to which your certificates were issued. If you are using a computer other than the one you used when you obtained your certificates, you must contact your certificate issuer and obtain a new certificate for the computer you are now using.
To decrypt your current messages, you must use your original computer, or use the certificate export and import features of the Security Info window.
Update your personal certificate. If you are using the original computer on which your expired certificate was issued, after contacting the certificate issuer, you can regenerate a valid private key and can then decrypt the web page.
You can set a password that Netscape Navigator requires before enabling access to your collection of certificates.
To set or alter your password:
Set a password for access to your certificates. This helps to ensure that others using this computer and software installation cannot use your certificates without your knowledge.
When choosing a password follow these guidelines, which make it difficult for your password to be guessed by a password-cracking program:
The software installation on this computer already has password-protected certificates for your user name. You cannot set a new password, if you do not know your existing password.
If someone set up your account for you, you must obtain your password from that person.
If you set your own password and have forgotten it, you cannot access your certificates or decrypt your messages. Your certificate issuer cannot provide you a replacement certificate, so you must obtain new certificates. Because you cannot access your certificates without your password, any encrypted messages you saved cannot be decrypted.
If you attempt to forward a decrypted message without first encrypting it, Navigator reminds you to encrypt it.
A warning about message tampering appears only when an incoming message has been altered in some way after it was sent. Alteration of the original message content can be caused by corruption due to mishandling or to interception and forgery.
A warning about messages with mixed encryption appears only when you access a document that is encrypted, but contains unencrypted parts. If you do not feel that your system is secure, you may not want to open a document that contains unencrypted parts.
Check your address list. You cannot encrypt your message to any of your recipients if even one recipient has failed to distribute a valid certificate.
Use the Signers panel to update your recipients' certificates. Your recipients may all have valid certificates, but may not have distributed them recently. Signers can update all certificates of the types they distribute, and do so upon request.
Warning: Once the browser displays an encrypted page, your disk cache retains an unencrypted copy of the page in an unencrypted form. Anyone having access to your Netscape disk cache can view the contents of the page.
The following sections detail why you might want to enable warnings from Navigator:
You need to be aware that the pages you are accessing are encrypted. Because the pages are decrypted without your intervention, you may want notification to remind you that you must clean up or secure downloaded files upon completion of your session.
You may want this warning as a reminder of when to remove decrypted files left on your local drive. Web pages are only encrypted during transmission from the web page server to your browser. Files in your cache or files you have saved to disk are not encrypted.
You may want this as a reminder to consult the Security Info panel, which identifies files encrypted during transmission.
Use the Java/JavaScripts panel to view, remove, and edit access privileges for Java applets and JavaScript signed with a certificate issued by the signer listed in the list box.
To use the Java/JavaScripts panel:
Use the Java Security dialog box to grant or deny the access it describes:
The Java Security dialog box provides information to help you make your decision:
Netscape provides risk level categories High, Medium, and Low as guidelines only. You may have a different opinion about the degree of risk that access entails. Be sure to click Details and exactly what types of access are involved and make your own decision.
Use the Java Security Target Details dialog box to get detailed information about the kind of access a Java applet or JavaScript script is requesting:
The risk level categories High, Medium, and Low are provided by Netscape as guidelines only. You may have a different opinion about the level of risk this kind of access entails. Be sure to read the description of the access requested and make your own decision.
Netscape's current classification system is based on these categories:
You can obtain your own certificate by contacting a signing authority. You obtain certificates from others by opening a message from them, by accessing their web pages, and by allowing their Java applets access to your computer.
To obtain a certificate for yourself, click Get Certificate. When you click Get Certificate Netscape Navigator connects to a signing authority. Through the signing authority, you obtain a certificate and generate keys.
To use your certificate on a computer other than the one you used to obtain the certificate, you must export the certificate. To export a certificate, select it in the certificates list, then click Export.
When you connect to a web site offering an encrypted web page, you collect a certificate from the site. This is a list of all the site certificates you've collected.
When you accept the use of a signed Java applet, you collect a certificate from the applet requesting access. This is a list of all the certificates you've collected.
This is a list of all the organizations who have issued certificates you've either collected or own. Click on the name of the organization in order to select it. You can then verify all certificates by the selected issuer or obtain more information about the selected issuer.
Cryptographic modules are loadable pieces of software that provide a function of cryptographic services, such as:
Netscape software allows computers to transfer information in a way that makes the misappropriation of the forms you send or the pages you receive more difficult. Security issues arise because information traveling on the Internet usually takes a circuitous route through several intermediary computers to reach any destination computer. The actual route your information takes to reach its destination is not under your control.
As your information travels on Internet computers, any intermediary computer has the potential to eavesdrop and make copies. An intermediary computer could even deceive you and exchange information with you by misrepresenting itself as your intended destination. These possibilities make the transfer of confidential information such as passwords or credit card numbers susceptible to abuse.
Navigator and Netscape servers use patented RSA public key cryptographic technology and custom software to allow you to send and receive information using built-in encryption capabilities. The protocols use open standards.
Your computer and the intended destination can encrypt and decrypt your information. In transit, the encrypted information is jumbled; an intermediary can continue to route the information, and even make copies of it, but is not provided with the tools to decrypt the information.
As part of the cryptographic technology, Navigator and Netscape servers provide a mechanism for Internet server authentication. This makes it more difficult for an intermediary computer to pose as your destination computer.
You can enter your credit card number on an encrypted (https) Netscape Navigator form and transmit the form over the Internet to an SSL server to reduce the risk of an intermediary obtaining your credit card information. The encryption features offered by Netscape technology helps protect commercial transactions, as well as all other communications, from misappropriation and fraud that can occur as information passes through Internet computers.
Encrypted communications do not eliminate all of an Internet user's concerns. For example, you must be willing to trust the server administrator with your credit card number before you enter into a commercial transaction. Security technology helps protect the routes of Internet communication; security technology does not protect you from disreputable or careless people with whom you might choose to do business.
The situation is analogous to telling someone your credit card number over the telephone. You may be confident in knowing that no one has overheard your conversation (privacy) and that the person on the line works for the company you wish to buy from (authentication), but you must also be willing to trust the person and the company.
Server administrators need to take additional precautions to protect against security breeches. To protect your information, they need to maintain physical security of their server computers and control access to software passwords and private keys.
Site certificates identify others on the Internet to you. They are issued to organizations running servers.
If you are a server administrator and want to obtain a signed certificate, you need to submit a certificate request to a certificate authority. To operate using security features, an SSL server requires a digitally signed certificate. Without a certificate, the server can only operate without security capabilities. The process of obtaining a site certificate is explained in Netscape's server documentation.
Netscape Communications Corporation does not issue certificates. Certificates are issued by a certificate authority, a third-party organization. Information about certificate classifications and associated service fees can be obtained directly from the certificate authority.
Encryption is and certification capabilities are built into Navigator and many types of servers including web page servers, mail servers, and discussion group servers. Navigator uses information windows, graphical elements, and dialog boxes to inform you when you are interacting with server sites and messaging applications that offer encryption and certification capabilities.
Security information can be found in both the Security Info and Page Info windows.
Insert the letter s so that the URL begins with https://. A URL beginning with https:// shows that the page came from a server using encryption. Use http:// otherwise. Choose the View menu's Page Info item for security details.
Similarly, a discussion group URL that starts with snews: (instead of news:) shows that the page comes from a discussion group server using encryption (again, insert the letter s if your discussion group server offers security). Use two slashes (//) after the colon (:) for discussion group servers other than the default one.
An encrypted page can only contain inline information from sources offering encryption. In a page of mixed security status, the unencrypted information is replaced by a mixed security icon. If you bring a mixed security page to your screen, you'll see a notification dialog box.
If a form appears on an encrypted page that has an unencrypted submission process, a notification dialog appears. The warning states that although the page is encrypted, the submission you are about to make is unencrypted and could be compromised by someone else. If you are sending passwords, credit card numbers, or other information you would like to keep private, you might want to cancel the submission.
If an unencrypted page contains encrypted information (either inline or as part of a form), no special action is taken. The page is considered unencrypted. This includes unencrypted forms that have encrypted submission processes.
Several notification dialog boxes inform you about the security status of pages. You can choose whether or not to receive these dialogs by setting the options in the Security Info window. Alternatively, you can deselect a dialog's Show this Alert Next Time box.
You are notified in the following situations:
The public key technology working within Navigator and Netscape servers is often described with unfamiliar security terminology. The following explanation of how public keys work may be an interesting supplement to your knowledge of Internet security.
A computer's security key is a file. You don't open a key (file) as you open a document or a word processor application. Keys are more like magnetic badges with powerful encryption and decryption capabilities.
There are two kinds of keys, private and public, and you need both. A private key sits on your computer and you never give it out. A public key can be copied repeatedly and given out to everybody.
You need both kinds of keys because they are fundamentally linked. You can pass your public key around to whomever you wish, but for any key to perform its decryption duty, it needs to be matched back to its linked key partner.
Both public and private keys have the ability to encrypt and (together as a set) decrypt information. Keys work in two primary ways:
In summary, your public and private keys (files) are linked by a powerful cryptographic algorithm that could only be decoded by major computer resources. No one else's keys can decipher messages to you that are encrypted with your public key. And no one else can pose as you, because their keys cannot send messages encrypted with your private key.
The Internet security technology developed by Netscape Communications to ensure private and authenticated communications (called SSL, short for Secure Sockets Layer protocol) is an open platform put into the public domain for the Internet community. Netscape Navigator and Netscape's SSL servers offer this nonproprietary technology.
The security features built into Netscape Navigator and SSL servers help protect your Internet communications with:
Without thorough encryption capabilities, information transmitted over the Internet is more susceptible to fraud and other misuse by intermediaries. Information traveling between your computer and a server uses a routing process that can extend over many computer systems. Any one of these computer systems represents an intermediary with the potential to access the flow of information between your computer and a trusted server. Encryption makes it more difficult for intermediaries to deceive you, eavesdrop on you, copy from you, or damage your communications. The Internet does not provide built-in encryption capabilities.
The SSL protocol delivers server authentication, data encryption, and message integrity. SSL is layered beneath application protocols such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP, and layered above the connection protocol TCP/IP. This strategy allows SSL to operate independently of the Internet application protocols.
The SSL protocol works as an adjunct to other protocols without limiting access capabilities. You can use Netscape Navigator to display either encrypted or unencrypted pages. Online forms can be encrypted if the submit action is an https:// URL to an SSL server.
You can save an encrypted page (though encrypted pages are not cached to disk across sessions). You can also view the HTML source of an encrypted page. Encryption affects the transmission of a page without affecting your ability to manipulate the page.
SSL uses authentication and encryption technology developed by RSA Data Security. For example, Netscape Navigator's export implementation of SSL (U.S. government approved) uses a medium-grade, 40-bit key size for the RC4 stream encryption algorithm. The encryption established between you and a server remains valid over multiple connections, yet the effort expended to defeat the encryption of one message cannot be simply leveraged to defeat the next message.
A message encrypted with 40-bit RC4 takes, on average, 64 MIPS-years to break (a 64-MIPS computer needs a year of dedicated processor time to break the message's encryption). The high-grade, 128-bit U.S. domestic version provides protection exponentially more vast. The effort required to break any given exchange of information is a formidable deterrent. Server authentication uses RSA public key cryptography in conjunction with ISO X.509 digital certificates.
Netscape Navigator and SSL servers deliver server authentication using signed digital certificates issued by trusted third parties known as certificate authorities. A digital certificate verifies the connection between a server's public key and the server's identification (just as a driver's license verifies the connection between your photograph and your personal identification).
Cryptographic checks, using digital signatures, help you trust the information within a certificate.