Secure Sockets Layer (SSL) is a critical part of security, but many FileMaker developers don’t know much about it. We all use it, probably every day, but most of us have not had to set it up or really understand how it actually works. Maybe we think of it as some sort of voodoo that happens behind the scene, and as a user, that’s fine; there’s no need to understand it any more than that. But as a developer or a server administrator who has to set it up, it can be helpful to know a bit more about how it works.
I’ve invested some time learning about SSL and even presented a session at the 2017 FileMaker DevCon called “Demystifying SSL.”
What is an SSL Certificate?
Let’s take a closer look at how SSL works. When you set up SSL, you have to get this thing called a certificate. If you’re new at this, you may have the following questions:
- What is a certificate?
- What is being certified?
- What is contained inside the certified?
- Why do I have to pay some other company (with this funny name “certificate authority”) to give me one of these?
- Why can’t I just use the standard certificate that comes by default when you install FileMaker Server?
If you’ve never set up SSL before, I’m sure you’ll have at least a few of the above questions. If you’re considering using SSL, the somewhat convoluted setup process may scare you off. In fact, unless there is a very explicit demand or requirement that SSL is used, you may decide not to even bother with it. The process of getting the certificate and the process of installing it might just seem too involved to be worth it.
And I bet many developers have made such a decision for these reasons, and they’re able to get away with it, because, well, if you don’t use SSL, all of the functionality is still there. Everything still seems to work just fine.
Why You Need to Use SSL With FileMaker
So, if that’s true, why do we bother with SSL? I answer this question in some detail in my session, but in short, we use SSL to prevent eavesdropping, data tampering, and impersonation. The security principles underlying these three objectives are called confidentiality, integrity, and authenticity.
DevCon Session Overview
The goal of my DevCon session was to demystify the whole thing – to break it down into parts, explain each of the constituent parts, and share why each step of the process is necessary.
The session covered the following topics:
General SSL background
- Why use SSL: objectives and security principles
- Difference between encryption and encoding
- Symmetric and asymmetric encryption methods and the key distribution problem
- Message authentication codes (MAC)
- SSL certificates: what is being certified, what is inside a certificate, what is a certificate authority, and how digital signatures work
- Chain of trust, root certificates, and root certificate stores
- SSL handshake
- Certificate validation methods: domain (DV), organization (OV), extended (EV)
- Certificate types: single domain, multi-domain, and wildcard
Getting and installing an SSL certificate for FileMaker Server and FileMaker Cloud
- Certificate signing requests (CSR)
- Certificate authority landscape
- Proving domain control: email challenge response, file lookup over HTTP, DNS lookup
- Installing the certificate and testing
- Alternate scenarios: multiple servers
- Making changes to a certificate
- Patching SSL
- Review question: Why should the standard FileMaker Server certificate not be used in production?
Watch the Video
Have Questions on Implementing SSL?
My team and I are happy to answer any other questions you have about how to use SSL with your FileMaker solution. You can either ask in a comment below or contact us directly.