469,133 Members | 1,437 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,133 developers. It's quick & easy.

Q: certificate

Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.
2. Where exactly is security increased with https?
3. Is there a way to get certificate for free for testing purposes?
Thanks

Nov 19 '05 #1
6 1211
Hi Jim:

On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H.
<JI**@discussions.microsoft.com> wrote:
Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.
If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.

It's not really about what is in your database, but what you are
sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.

First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.

Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure
https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes?
Thanks


Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here:
http://msdn.microsoft.com/library/de...akecertexe.asp

HTH,

--
Scott
http://www.OdeToCode.com/blogs/scott/

Nov 19 '05 #2
> It's not really about what is in your database, but what you are
sending across the network wire.

That's right. Just note that according to this, if you keep the app on one
server and the database on another and the servers talk over internet, you
will need 2 certificates: one for securing browser - web server channel and
another for web server - database server one.

Eliyahu
Nov 19 '05 #3
Scott,
Thank you very much. Great help. I have two more questions?
1. I am wondering if asp.net brought any extra security concerning avoiding
sniffing comparing to asp? My understanding it is a compiled version, doesn’t
that make sniffing a little bit difficult?
2. If I create this certificate, how should I use it and call through https?
Thanks,
"Scott Allen" wrote:
Hi Jim:

On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H.
<JI**@discussions.microsoft.com> wrote:
Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.


If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.

It's not really about what is in your database, but what you are
sending across the network wire.
2. Where exactly is security increased with https?


Two things happen with https.

First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.

Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure
https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes?
Thanks


Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here:
http://msdn.microsoft.com/library/de...akecertexe.asp

HTH,

--
Scott
http://www.OdeToCode.com/blogs/scott/

Nov 19 '05 #4
Hi Eliyahu,
That is my case, my application is in DMZ machine and database is on the
server in our domain. So should I use the same certificate in both server?
Thanks,

"Eliyahu Goldin" wrote:
It's not really about what is in your database, but what you are
sending across the network wire.

That's right. Just note that according to this, if you keep the app on one
server and the database on another and the servers talk over internet, you
will need 2 certificates: one for securing browser - web server channel and
another for web server - database server one.

Eliyahu

Nov 19 '05 #5
First of all, you never can use the same certificate on multiple servers for
the simple reason that a certificate is always issued for a particular
server.

In you case you should somehow secure the communication between the DMZ
machine and the server. You can do it with SSL but you don't have to. You
might want to use IPsec instead. Google for something like "ssl ipsec dmz"
for more info, or, better, get an expert's advice.

Eliyahu

"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:2A**********************************@microsof t.com...
Hi Eliyahu,
That is my case, my application is in DMZ machine and database is on the
server in our domain. So should I use the same certificate in both server?
Thanks,

"Eliyahu Goldin" wrote:
It's not really about what is in your database, but what you are
sending across the network wire.

That's right. Just note that according to this, if you keep the app on one server and the database on another and the servers talk over internet, you will need 2 certificates: one for securing browser - web server channel and another for web server - database server one.

Eliyahu

Nov 19 '05 #6
1. Scott was referring to network sniffing. That is on the way between
server and client. Compiled code is on the server and doesn't get
transferred to the client.

2. All you need to do is to change http://... to https://... Note, that if
you create a certificate yourself, every client on the first request will be
greeted with a popup dialog asking if the client is willing to trust your
certificate.

Eliyahu

"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:3A**********************************@microsof t.com...
Scott,
Thank you very much. Great help. I have two more questions?
1. I am wondering if asp.net brought any extra security concerning avoiding sniffing comparing to asp? My understanding it is a compiled version, doesn't that make sniffing a little bit difficult?
2. If I create this certificate, how should I use it and call through https? Thanks,
"Scott Allen" wrote:
Hi Jim:

On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H.
<JI**@discussions.microsoft.com> wrote:
Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you arekeeping some confidential data in your database.


If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.

It's not really about what is in your database, but what you are
sending across the network wire.
2. Where exactly is security increased with https?


Two things happen with https.

First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.

Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure
https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes?
Thanks


Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here:
http://msdn.microsoft.com/library/de...akecertexe.asp
HTH,

--
Scott
http://www.OdeToCode.com/blogs/scott/

Nov 19 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Matt Frame | last post: by
reply views Thread by Will | last post: by
1 post views Thread by Nelson R. | last post: by
6 posts views Thread by JIM.H. | last post: by
4 posts views Thread by =?Utf-8?B?SGVyYg==?= | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
1 post views Thread by Mortomer39 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.