Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.
2. Where exactly is security increased with https?
3. Is there a way to get certificate for free for testing purposes?
Thanks 6 1386
Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H.
<JI**@discussio ns.microsoft.co m> wrote: Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you are keeping some confidential data in your database.
If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.
It's not really about what is in your database, but what you are
sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp
HTH,
--
Scott http://www.OdeToCode.com/blogs/scott/
> It's not really about what is in your database, but what you are sending across the network wire.
That's right. Just note that according to this, if you keep the app on one
server and the database on another and the servers talk over internet, you
will need 2 certificates: one for securing browser - web server channel and
another for web server - database server one.
Eliyahu
Scott,
Thank you very much. Great help. I have two more questions?
1. I am wondering if asp.net brought any extra security concerning avoiding
sniffing comparing to asp? My understanding it is a compiled version, doesn’t
that make sniffing a little bit difficult?
2. If I create this certificate, how should I use it and call through https?
Thanks,
"Scott Allen" wrote: Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H. <JI**@discussio ns.microsoft.co m> wrote:
Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you are keeping some confidential data in your database.
If you send confidential information over the Internet, like a credit card number, then you'll want to use the HTTPS protocol, which does require a certificate.
It's not really about what is in your database, but what you are sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If I put a packet sniffer in the network path between your server and one of your clients and try to pick up credit card numbers, HTTPS will keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp
HTH,
-- Scott http://www.OdeToCode.com/blogs/scott/
Hi Eliyahu,
That is my case, my application is in DMZ machine and database is on the
server in our domain. So should I use the same certificate in both server?
Thanks,
"Eliyahu Goldin" wrote: It's not really about what is in your database, but what you are sending across the network wire. That's right. Just note that according to this, if you keep the app on one server and the database on another and the servers talk over internet, you will need 2 certificates: one for securing browser - web server channel and another for web server - database server one.
Eliyahu
First of all, you never can use the same certificate on multiple servers for
the simple reason that a certificate is always issued for a particular
server.
In you case you should somehow secure the communication between the DMZ
machine and the server. You can do it with SSL but you don't have to. You
might want to use IPsec instead. Google for something like "ssl ipsec dmz"
for more info, or, better, get an expert's advice.
Eliyahu
"JIM.H." <JI**@discussio ns.microsoft.co m> wrote in message
news:2A******** *************** ***********@mic rosoft.com... Hi Eliyahu, That is my case, my application is in DMZ machine and database is on the server in our domain. So should I use the same certificate in both server? Thanks,
"Eliyahu Goldin" wrote:
It's not really about what is in your database, but what you are sending across the network wire. That's right. Just note that according to this, if you keep the app on
one server and the database on another and the servers talk over internet,
you will need 2 certificates: one for securing browser - web server channel
and another for web server - database server one.
Eliyahu
1. Scott was referring to network sniffing. That is on the way between
server and client. Compiled code is on the server and doesn't get
transferred to the client.
2. All you need to do is to change http://... to https://... Note, that if
you create a certificate yourself, every client on the first request will be
greeted with a popup dialog asking if the client is willing to trust your
certificate.
Eliyahu
"JIM.H." <JI**@discussio ns.microsoft.co m> wrote in message
news:3A******** *************** ***********@mic rosoft.com... Scott, Thank you very much. Great help. I have two more questions? 1. I am wondering if asp.net brought any extra security concerning
avoiding sniffing comparing to asp? My understanding it is a compiled version,
doesn't that make sniffing a little bit difficult? 2. If I create this certificate, how should I use it and call through
https? Thanks,
"Scott Allen" wrote:
Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H. <JI**@discussio ns.microsoft.co m> wrote:
Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you
arekeeping some confidential data in your database.
If you send confidential information over the Internet, like a credit card number, then you'll want to use the HTTPS protocol, which does require a certificate.
It's not really about what is in your database, but what you are sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If I put a packet sniffer in the network path between your server and one of your clients and try to pick up credit card numbers, HTTPS will keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp HTH,
-- Scott http://www.OdeToCode.com/blogs/scott/
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Matt Frame |
last post by:
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking
at how to validate the clients certificate programmatically. The client
application sends to me with something like:
....
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx),...
|
by: Bob |
last post by:
I'm building a .NET web service which requires client certificate for strong
security. I set IIS to require SSL and client certificate (under site
properties in IIS admin, Directory Security tab, Secure Communication,
Edit... button. then check Require Secure Channel and Require Client
Certificates). Then in my client side code, I add my client certificate to
the property HttpWebClientProtocol.Certificates. However, I keep getting a...
|
by: Will |
last post by:
It seems that I have scoured the net and came up empty
handed.
I have an ASP.net app that posts xml to another company's
servlet. For some transactions, they do not require a
certificate, but others do. I started building this app
with the transactions that did not require the cert, but
put in the code to use the cert anyhow. I have been
running for several months thinking that I was using my
cert, but now that I'm trying to build the...
|
by: Nelson R. |
last post by:
Hi,
i need to get some info from a website page that requires an
certificate.
Ive got the provided certificate installed in IE, and when accessing
the website page, it shows a window to select the client certificate
and then shows the page correctly.
Im trying to do this by code (vs2003 C# aspnet), using webrequest.
|
by: JIM.H. |
last post by:
Hello,
I am trying to create a certificate for our internet for our employees so
that they can login to system from home. Do I have to go, for example,
VeriSign to get a certificate? Can I create my own certificate and use it
since it is not actually a public web site?
Thanks,
| |
by: |
last post by:
Hi, I'd like to store X509 cetificates in a central location (file server,
database, etc), and load them when needed, is it practical ? and in term of
implementation, can this be achieved by subclass 'securityTokenManager'? has
anyone done something similar and shed some lights on it?
thanks,
-Jason
|
by: jakobsgaard |
last post by:
It is possible to Map a certificate to a Active Directory User Account from
DotNet?
Please provide an example.
Best regards,
Ejnar Jakobsgaard
-------------------------------------------------
To map a certificate to a user account
Open Active Directory Users and Computers.
|
by: John Nagle |
last post by:
The Python SSL object offers two methods from obtaining
the info from an SSL certificate, "server()" and "issuer()".
The actual values in the certificate are a series of name/value
pairs in ASN.1 binary format. But what "server()" and "issuer()"
return are strings, with the pairs separated by "/". The
documentation at "http://docs.python.org/lib/ssl-objects.html"
says "Returns a string containing the ASN.1 distinguished name identifying...
|
by: ucb01 |
last post by:
Hi,
I am working with Visual Studio 2005 in C#.
Using makecert I create a self-signed certificate A with a private key then a certificate B based on A. The first is installed in the 'Certificate Authorities .. ' store, the second in the 'Personal' one.
My application need to use the certificate B to sign binary data. In debug mode, my application runs perfectly (under Cassini, VS web server) but after deployment there is no way to...
|
by: =?Utf-8?B?SGVyYg==?= |
last post by:
For some reason my application now requires that I "Sign the ClickOnce
manifests". I don't know that it ever has before. I clicked the "Create Test
Certificate" and after a reinstall everything is hunky dorey.
Now I am trying to obtain a certificate that is "trusted" and I don't know
how to go about doing that. I understand that my temporary certificate will
expire in a year, I'd rather go through the reinstall now rather than wait a...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |