The default for communication between web server and browser is that it is in unencrypted. This means that a third party between the server and the client may be tapping into all passwords and page contents. You can stop this by using the SSL protocol that encrypts the network communication between server and browser. With SSL-enabled browser (such as Mozilla Firefox, Chrome, Galeon, Opera, Konqueror, Internet Explorer, w3m) you can simply encrypt the communications between server and browser by using URLs of the format https://www.cs.helsinki.fi/ (so instead of the http protocol you use the https protocol).

How do you allow only encrypted communications?

If a page contains information of a delicate nature or access to it is authenticated with a password, it is best to prevent reading the page with an unencrypted protocol. You can do this by adding the following lines into the .htaccess file of the directory that contains the page

# Require that the browser uses SSL-encryption
SSLRequireSSL 

At https://www.cs.helsinki.fi/u/jjaakkol/private/ there is a page that you can only read with SSL encryption, and where users are required to use the username guest and the password demo.

Certificates in protected web services

The CS Department web services with SSL/TLS protection (protected web pages, protected reading and sending of e-mail) have certificates. The certificate for each service includes the name of the server and other information, as well as the digital signature of a trusted certificate authority. In practice, this certificate tells the user that the server really is the one it claims to be.

The certificates used by CS Department services are signed by either HY-CA or Equifax. HY-CA is the certificate authority of the University of Helsinki. Equifax is a commercial enterprise that sells certificates to its clients. The most popular browsers and network programs come with the root certificates of Equifax already installed, so their users do not have to take any measures to install separate root certificates in order to use encryption.

Installing the HY-CA root certificate

Install the HY-CA root certificate in your mail client and web browser before using encrypted services. When you have installed the root certificate, all certificates signed by HY-CA will be identified automatically, and only possibly malicious servers will generate a notification. (If the HY-CA root certificate has not been installed, each server that uses a certificate signed by the HY-CA root certificate will generate a notification of an unknown certificate.)

The HY-CA root certificate is pre-installed in all the recommended web browsers and e-mail clients at the Department of Computer Science.

For use at home and other remote access, you need to install the root certificate yourself in accordance with the guidelines of the IT Department (Linux/Pine/OpenSSL: see this guide, as well).