Q: certificate

[Guest]

Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.
2. Where exactly is security increased with https?
3. Is there a way to get certificate for free for testing purposes?
Thanks

 

[Scott Allen]

Hi Jim:

Hello,
I have a web based application for our internet. I see some sites have
https, called certificate. I have the following questions:
1. I am wondering if it is really required to have a certificate if you are
keeping some confidential data in your database.

If you send confidential information over the Internet, like a credit
card number, then you'll want to use the HTTPS protocol, which does
require a certificate.

It's not really about what is in your database, but what you are
sending across the network wire.

2. Where exactly is security increased with https?

Two things happen with https.

First, the traffic between the server and the client is encrpyted. If
I put a packet sniffer in the network path between your server and one
of your clients and try to pick up credit card numbers, HTTPS will
keep the number hidden from me.

Secondly, the certificate you put in place for HTTPS allows the client
to verify the identity of the server. The client can make sure
https://jimsserver.com is really jimsserver and not someone trying to
spoof or phish and trick them into typing in a credit card number.

3. Is there a way to get certificate for free for testing purposes?
Thanks

Yes, there is the makecert.exe tool that comes with the .NET SDK. You
can find docs on the tool here:
http://msdn.microsoft.com/library/d...l/cpgrfcertificatecreationtoolmakecertexe.asp

HTH,

 

[Eliyahu Goldin]

It's not really about what is in your database, but what you are

sending across the network wire.

That's right. Just note that according to this, if you keep the app on one
server and the database on another and the servers talk over internet, you
will need 2 certificates: one for securing browser - web server channel and
another for web server - database server one.

Eliyahu

 

[Guest]

Scott,
Thank you very much. Great help. I have two more questions?
1. I am wondering if asp.net brought any extra security concerning avoiding
sniffing comparing to asp? My understanding it is a compiled version, doesn’t
that make sniffing a little bit difficult?
2. If I create this certificate, how should I use it and call through https?
Thanks,

 

[Guest]

Hi Eliyahu,
That is my case, my application is in DMZ machine and database is on the
server in our domain. So should I use the same certificate in both server?
Thanks,

 

[Eliyahu Goldin]

First of all, you never can use the same certificate on multiple servers for
the simple reason that a certificate is always issued for a particular
server.

In you case you should somehow secure the communication between the DMZ
machine and the server. You can do it with SSL but you don't have to. You
might want to use IPsec instead. Google for something like "ssl ipsec dmz"
for more info, or, better, get an expert's advice.

Eliyahu

 

[Eliyahu Goldin]

1. Scott was referring to network sniffing. That is on the way between
server and client. Compiled code is on the server and doesn't get
transferred to the client.

2. All you need to do is to change http://... to https://... Note, that if
you create a certificate yourself, every client on the first request will be
greeted with a popup dialog asking if the client is willing to trust your
certificate.

Eliyahu