SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 59
  1. #26
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Again, it depends on the security level needed.

  2. #27
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Location
    UK
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Fairly annoying nowadays that one can't self-sign certificates as 'modern' browsers in their 'phishing war' attempts flag you up as potentially an issue. It's a good thing really but you're left choosing when best to actually 'shell out moola' for a 'real' certificate!

    Definitely anything to do with e-commerce even if its just on the shopping cart and or member area before you fling customers off to a payment processor.

    Giving your users that extra 'touch' of security is worth every penny.

  3. #28
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am very eager to know about the different types of tips for others in knowing about the SSL in a necessary manner. It helps others in meeting their satisfaction in a better way by achieving the best results for others. This is completely a fine type of solution for others in making the different types of results for their work to move in a well balanced manner.
    It is a great stuff for others to get some techniques over there.

  4. #29
    SitePoint Enthusiast
    Join Date
    Sep 2008
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eruna View Post
    The sites I mentioned do have the funds and technical expertise to make competent, security decisions and have decided ssl is not merited for their sites. This indicates the practice is up for debate.
    No. If you handle user data, secure it. If you can't secure it, don't store it. You don't store clear password, you hmac them; so why let anyone see their password / auth cookies in the clear by anyone behind the user computer and your server.
    If you connect from work, you pass already through a lot of things people have access to.
    If you use TOR, the entry and end points see what you're sending.
    How many different and secure password do you use on different websites ? Would you like someone try to use your login / pwd on other sites ?

    SSL should be the standard.
    And if big sites are your references, you should not forget that even mighty Google got caught with a CSRF hole the size of a moon in gmail.

  5. #30
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Arkh View Post
    SSL should be the standard.
    That would be impossible to give every login an SSL connection. A, you will need a certificate, self-signed is fine for controlled systems but not public. B, you will be needing a dedicated IP one for every domain. Not an cheap propitiation. You also have to take traffic into consideration. Lots of traffic without a large infrastructure would topple over with the overhead of de/en-cryption.

    And if big sites are your references, you should not forget that even mighty Google got caught with a CSRF hole the size of a moon in gmail.
    Hmm...I fail to see how that has anything to do with SSL and encryption.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #31
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The chances of data being intercepted while en route over the internet are SO tiny. I'd be far more worried about the security of the data at the end points, where it is stored.

    The only place I'd worry about snooping data is if your clients are using unsecure wireless access points. Unfortunately that has made things far more snoopable.

  7. #32
    SitePoint Enthusiast
    Join Date
    Sep 2008
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    That would be impossible to give every login an SSL connection. A, you will need a certificate, self-signed is fine for controlled systems but not public.
    $30 per year. Is that too much ?
    Quote Originally Posted by logic_earth View Post
    B, you will be needing a dedicated IP one for every domain. Not an cheap propitiation. You also have to take traffic into consideration. Lots of traffic without a large infrastructure would topple over with the overhead of de/en-cryption.
    So, you need a dedicated server. For security of your user's data, shared is already a no-no.

    If you don't want to invest in security, don't store your user's data.

    Quote Originally Posted by somebodyone View Post
    The chances of data being intercepted while en route over the internet are SO tiny.
    Check your router's logs.
    Now, imagine if this piece of hardware is not in your control but in your network's admin.

    Just to let you understand how snooping can happen stupidly : http://www.schneier.com/blog/archive...y_and_t_1.html

  8. #33
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eruna View Post
    The auto assignment of password ensures that the password is unique.
    Initially. Given a random string (for example) that holds no mnemonic cues, a user is more likely to change their password to something that is easier for them to memorize. Worse, many users would have to write it down so as not to lose it. I have so many nonsensical passwords at work that have so many constraints (e.g., "must contain at least one special character") and am required to change them so frequently that I couldn't possibly memorize them all.

  9. #34
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,786
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by logic_earth View Post
    you will be needing a dedicated IP one for every domain.
    With hundreds of domains currently in existence for every usable IPv4 address that can't possibly be done until the entire internet switches to IPv6.

    Once the internet is on IPv6 there will be so many thousands of IP addresses available for each person that a separate IP address for each domain name will be standard.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #35
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Arkh View Post
    $30 per year. Is that too much ?
    A certificate from a root CA is more then $30/year. Unless you have a link to prices?

    So, you need a dedicated server. For security of your user's data, shared is already a no-no.
    A dedicated server is a different matter then a dedicated IP address. A dedicated server can still be sharing a range of IPs with other servers. And also depending on the nature of the site and the traffic, one sever may or may not be enough.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  11. #36
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am very eager to know about the different types of tips for others in knowing about the SSL in a necessary manner.I built a site where users log in to access a document library. The data protected does not require a high degree of security so ssl was not used. They have a client complaining that their username and password are being transmitted in clear text and in return, complaining to me.

  12. #37
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jaques Stimul View Post
    I am very eager to know about the different types of tips for others in knowing about the SSL in a necessary manner.I built a site where users log in to access a document library. The data protected does not require a high degree of security so ssl was not used. They have a client complaining that their username and password are being transmitted in clear text and in return, complaining to me.
    Unless the user doing the complaining represents more than a tiny percentage of your user base, I wouldn't worry about it.

  13. #38
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    "When is SSL necessary"
    whenever you send private information over the internet.

    the only reason you would not want to use ssl is when you don't want to pay for it or don't want the "insecure site" message appearing in the users browser.

    encrypting of passwords can be done by javascript.
    so its not as good as ssl, but better than plain text.

  14. #39
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,786
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    "When is SSL necessary"
    whenever you send private information over the internet.
    The majority of sites that use SSL are those that involve ecommerce and such. Most sites where the only "private" info are user ids and passwords don't bother to encrypt them unless there is considered to be something extremely valuable within the membership site.

    So forums such as this one do not bother to use SSL for the login because the info inside isn't considered to be needing that level of protection. If someone were to steal your account using a man-in-the-middle attack it wouldn't be too hard to get it back. Where someone capturing your userid and password from this site would be a problem is if you were silly enough to use the same password at your bank and the man-in-the-middle were able to figure out which bank you bank with so as to use the password captured here to access your bank account.

    That's why it is important to not use the same password for all the sites you access. At the very least each site where SSL is appropriate should have a different password that you don't use anywhere else. Sharing the same password between a few forum sites isn't such an issue.

    The only benefit to using SSL on sites such as forums would be to protect the passwords of those people silly enough to have used the same password both at the forum and at their bank but since they are also likely to have used the same password at other sites not using SSL it isn't actually making their password any more secure, it is just ensuring that the password gets stolen from the other forum instead of yours.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  15. #40
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    as you pointed out before felgall, people are stupid (or if can call it stupid considering so many do it) to use the same password for everything, and when i answered that question i was answering what would be theoretically more correct, using SSL whenever private info is passed, this is not done in real life though, and as such people who earn on stealing info thrive on the internet.

    it is just ensuring that the password gets stolen from the other forum instead of yours.
    i think this is good enough : )

  16. #41
    SitePoint Addict
    Join Date
    Jun 2004
    Location
    Atlanta, GA
    Posts
    366
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by temmokan View Post
    Of course there's nothing to stop that. However, I will distrust the CA that issues a SSL to many a bad guy, that's all.
    This statement is rather silly. The CA does not do any kind of audit of your business process to make sure you are not a "bad guy" before they sell you a certificate. All they really verify is that you are the valid owner of the domain.

  17. #42
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,786
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The certificate serves two purposes.

    1. It provides asymetrical encryption of the data while going from the browser to the server.
    2. It confirms the domain that the data is being sent to is actually abcbank.com and isn't abcbankspoof.com (but only if the person about to use the page actually checks the certificate to make sure which of those two certificates the current page has attached to it). From what I have seen few people actually bother to do this which is how many of the spoof attacks on bank web sites actually manage to successfully capture passwords.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  18. #43
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL or Secure Sockets Layer is a security protocol created by Netscape that has become an international standard on the Internet for exchanging sensitive information between a website and the computer communicating with it, referred to as the client.
    SSL technology is embedded in all popular browsers and engages automatically when the user connects to a web server that is SSL-enabled. It's easy to tell when a server is using SSL security because the address in the URL window of your browser will start with https. The "s" indicates a secure connection.
    When your browser connects to an SSL server, it automatically asks the server for a digital Certificate of Authority (CA). This digital certificate positively authenticates the server's identity to ensure you will not be sending sensitive data to a hacker or imposter site. The browser also makes sure the domain name matches the name on the CA, and that the CA has been generated by a trusted authority and bears a valid digital signature. If all goes well you will not even be aware this handshake has taken place.
    However, if there is a glitch with the CA, even if it is simply out of date, your browser will pop up a window to inform you of the exact problem it encountered, allowing you to end the session or continue at your own risk.

  19. #44
    SitePoint Member
    Join Date
    Dec 2009
    Location
    Netherlands
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi..

    Well...I dont think so that in this case you need to use SSL. As only username and password are passed, there is no need to use SSL.

    You can do one thing instead of passing them as query string you can pass them using cookies or session variables..

    Regards,
    Thanks & Regards,
    From - www.vovol.nl
    Online Casino|Online Games - Netherlands

  20. #45
    SitePoint Member crat3rs's Avatar
    Join Date
    Dec 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL certificate is necessary for your website protection. It's necessary if you have online store which accepts online orders and credit cards. SSl Certificate enables encryption of sensitive information during online transactions.

  21. #46
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by World Wide Weird View Post
    Initially. Given a random string (for example) that holds no mnemonic cues, a user is more likely to change their password to something that is easier for them to memorize. Worse, many users would have to write it down so as not to lose it. I have so many nonsensical passwords at work that have so many constraints (e.g., "must contain at least one special character") and am required to change them so frequently that I couldn't possibly memorize them all.
    One site I'm a member of made a password by combining random words rather than random letters. I've remembered it for the last 7 years.

  22. #47
    SitePoint Enthusiast
    Join Date
    Sep 2009
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL is only a means to pass data without third-party able to intercept them. it makes your on-line trade safely
    HostEase Hosting - Professional Web Hosting
    SoftLayer Datacenter ,99.9% Uptime Guarantee
    24/7 Technical Support | Call at (302)-353-4678
    Unbelievable Sales Promotion For The First Month!

  23. #48
    SitePoint Member dlprentice's Avatar
    Join Date
    Aug 2009
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Personal Information = SSL if not than your ok.

  24. #49
    SitePoint Enthusiast
    Join Date
    Jan 2010
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL Secure socket layer that means your application is secured from external hacking and your message transmit through destination without being intercept. It works on private and public key concept. The web server sends encrypted message with certificate as public key token. The browser valid the certificate and send the response to web server with encrypted data and once data is received by browser it decrypt with private key token so public key encrypts and private key decrypt. This is how transmission of data becomes secure. This SSL is 128 bit and worked on URL with HTTPS--S-Secured.
    The port 443 is used in web server and port 8080(http unsecured transmission).

    The application like:
    Online Retail banking
    Consumer Banking
    Mutual Fund Sites
    Online Ecommerce with credit card gateway

  25. #50
    SitePoint Enthusiast
    Join Date
    Sep 2008
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    So forums such as this one do not bother to use SSL for the login because the info inside isn't considered to be needing that level of protection.
    It should. You already admitted that at least some of your users use the same password for other things, then you should help protect it.

    Quote Originally Posted by felgall View Post
    The only benefit to using SSL on sites such as forums would be to protect the passwords of those people silly enough to have used the same password both at the forum and at their bank but since they are also likely to have used the same password at other sites not using SSL it isn't actually making their password any more secure, it is just ensuring that the password gets stolen from the other forum instead of yours.
    Woot ! "Others are not making any effort so why should I ?", gotta love this kind of thinking.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •