Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.
2. Where exactly is security increased with https?
3. Is there a way to get certificate for free for testing purposes?
Thanks 6 1348
Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H.
<JI**@discussions.microsoft.com> wrote: Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you are keeping some confidential data in your database.
If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.
It's not really about what is in your database, but what you are
sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp
HTH,
--
Scott http://www.OdeToCode.com/blogs/scott/
> It's not really about what is in your database, but what you are sending across the network wire.
That's right. Just note that according to this, if you keep the app on one
server and the database on another and the servers talk over internet, you
will need 2 certificates: one for securing browser - web server channel and
another for web server - database server one.
Eliyahu
Scott,
Thank you very much. Great help. I have two more questions?
1. I am wondering if asp.net brought any extra security concerning avoiding
sniffing comparing to asp? My understanding it is a compiled version, doesn’t
that make sniffing a little bit difficult?
2. If I create this certificate, how should I use it and call through https?
Thanks,
"Scott Allen" wrote: Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H. <JI**@discussions.microsoft.com> wrote:
Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you are keeping some confidential data in your database.
If you send confidential information over the Internet, like a credit card number, then you'll want to use the HTTPS protocol, which does require a certificate.
It's not really about what is in your database, but what you are sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If I put a packet sniffer in the network path between your server and one of your clients and try to pick up credit card numbers, HTTPS will keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp
HTH,
-- Scott http://www.OdeToCode.com/blogs/scott/
Hi Eliyahu,
That is my case, my application is in DMZ machine and database is on the
server in our domain. So should I use the same certificate in both server?
Thanks,
"Eliyahu Goldin" wrote: It's not really about what is in your database, but what you are sending across the network wire. That's right. Just note that according to this, if you keep the app on one server and the database on another and the servers talk over internet, you will need 2 certificates: one for securing browser - web server channel and another for web server - database server one.
Eliyahu
First of all, you never can use the same certificate on multiple servers for
the simple reason that a certificate is always issued for a particular
server.
In you case you should somehow secure the communication between the DMZ
machine and the server. You can do it with SSL but you don't have to. You
might want to use IPsec instead. Google for something like "ssl ipsec dmz"
for more info, or, better, get an expert's advice.
Eliyahu
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:2A**********************************@microsof t.com... Hi Eliyahu, That is my case, my application is in DMZ machine and database is on the server in our domain. So should I use the same certificate in both server? Thanks,
"Eliyahu Goldin" wrote:
It's not really about what is in your database, but what you are sending across the network wire. That's right. Just note that according to this, if you keep the app on
one server and the database on another and the servers talk over internet,
you will need 2 certificates: one for securing browser - web server channel
and another for web server - database server one.
Eliyahu
1. Scott was referring to network sniffing. That is on the way between
server and client. Compiled code is on the server and doesn't get
transferred to the client.
2. All you need to do is to change http://... to https://... Note, that if
you create a certificate yourself, every client on the first request will be
greeted with a popup dialog asking if the client is willing to trust your
certificate.
Eliyahu
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:3A**********************************@microsof t.com... Scott, Thank you very much. Great help. I have two more questions? 1. I am wondering if asp.net brought any extra security concerning
avoiding sniffing comparing to asp? My understanding it is a compiled version,
doesn't that make sniffing a little bit difficult? 2. If I create this certificate, how should I use it and call through
https? Thanks,
"Scott Allen" wrote:
Hi Jim:
On Sat, 9 Jul 2005 11:32:05 -0700, JIM.H. <JI**@discussions.microsoft.com> wrote:
Hello, I have a web based application for our internet. I see some sites have https, called certificate. I have the following questions: 1. I am wondering if it is really required to have a certificate if you
arekeeping some confidential data in your database.
If you send confidential information over the Internet, like a credit card number, then you'll want to use the HTTPS protocol, which does require a certificate.
It's not really about what is in your database, but what you are sending across the network wire.
2. Where exactly is security increased with https?
Two things happen with https.
First, the traffic between the server and the client is encrpyted. If I put a packet sniffer in the network path between your server and one of your clients and try to pick up credit card numbers, HTTPS will keep the number hidden from me.
Secondly, the certificate you put in place for HTTPS allows the client to verify the identity of the server. The client can make sure https://jimsserver.com is really jimsserver and not someone trying to spoof or phish and trick them into typing in a credit card number.
3. Is there a way to get certificate for free for testing purposes? Thanks
Yes, there is the makecert.exe tool that comes with the .NET SDK. You can find docs on the tool here: http://msdn.microsoft.com/library/de...akecertexe.asp HTH,
-- Scott http://www.OdeToCode.com/blogs/scott/
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Matt Frame |
last post by:
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this...
|
by: Bob |
last post by:
I'm building a .NET web service which requires client certificate for strong
security. I set IIS to require SSL and client certificate (under site
properties in IIS admin, Directory Security tab,...
|
by: Will |
last post by:
It seems that I have scoured the net and came up empty
handed.
I have an ASP.net app that posts xml to another company's
servlet. For some transactions, they do not require a
certificate, but...
|
by: Nelson R. |
last post by:
Hi,
i need to get some info from a website page that requires an
certificate.
Ive got the provided certificate installed in IE, and when accessing
the website page, it shows a window to...
|
by: JIM.H. |
last post by:
Hello,
I am trying to create a certificate for our internet for our employees so
that they can login to system from home. Do I have to go, for example,
VeriSign to get a certificate? Can I create...
|
by: |
last post by:
Hi, I'd like to store X509 cetificates in a central location (file server,
database, etc), and load them when needed, is it practical ? and in term of
implementation, can this be achieved by...
|
by: jakobsgaard |
last post by:
It is possible to Map a certificate to a Active Directory User Account from
DotNet?
Please provide an example.
Best regards,
Ejnar Jakobsgaard...
|
by: John Nagle |
last post by:
The Python SSL object offers two methods from obtaining
the info from an SSL certificate, "server()" and "issuer()".
The actual values in the certificate are a series of name/value
pairs in ASN.1...
|
by: ucb01 |
last post by:
Hi,
I am working with Visual Studio 2005 in C#.
Using makecert I create a self-signed certificate A with a private key then a certificate B based on A. The first is installed in the...
|
by: =?Utf-8?B?SGVyYg==?= |
last post by:
For some reason my application now requires that I "Sign the ClickOnce
manifests". I don't know that it ever has before. I clicked the "Create Test
Certificate" and after a reinstall everything is...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |