Home page logo
/

basics logo Security Basics mailing list archives

Re: How can I secure my site?
From: Walter Goulet <wgoulet () gmail com>
Date: Mon, 3 May 2010 14:20:57 -0500

Hi,

The most significant difference between a certificate you create
yourself (a self-signed certificate) vs. one you get from a CA is that
uses who visit your website will see a certificate error message since
the certificate is not signed by a root CA that is built into the
browser.

In order to avoid these errors, your users will have to accept the
self-signed certificate as an exception that is stored permanently in
their browser (until the certificate expires when they will have to do
it again).

In general, it is not a good security practice to use self-signed
certificates except in very controlled, specific environments like
corporate intranets or private networks. You will also find yourself
bogged down supporting users who are wondering what the error message
means and what steps they need to take to accept the certificate as an
exception.

For a full ad-nasueam treatment, I wrote a SANS gold paper on
assessing enterprise PKI deployments which has some good background on
certificates and how they are used in SSL:
http://www.sans.org/reading_room/whitepapers/auditing/analyzing-enterprise-pki-deployments_33284

Walter

On Sat, May 1, 2010 at 2:55 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby () gmail com> wrote:
Hello everybody. Thanks for your help.
I have not https folder on my host. When I asked my ISP they said that
you must pay 50$ for each SSL certificate. What is the difference
between SSL certificate that we purchase from certificate authorities
with others which created by ourselves?
According to I haven't https folder on host, How can I make it for myself?
Thanks for your considerations for these naive questions.


On Sat, May 1, 2010 at 10:17 AM, TAS <p0wnsauc3 () gmail com> wrote:
Hi Ali,

You can also have a self signed certificate created for free. It will be pretty much the same as a paid certificate 
but it just that you are yourself gonna be the issuer as opposed to an authority like CA or Verisign.

Secondly, it will be an good idea to get a pentest done before you go live with the website. This pen test will 
pretty much take care of your concerns with regards to security.

One your business flourishes you can afford to buy and certificate.

Cheers
TAS!

Sent from BlackBerry® - Vodafone

-----Original Message-----
From: Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com>
Date: Wed, 28 Apr 2010 09:12:40
To: <security-basics () securityfocus com>
Cc: Rockey<skg102 () gmail com>
Subject: Re: How can I secure my site?

HI. thanks for reply
I searched certificate authorities and I found that their certificates
are very expensive. for example lowest security level by Verisign is
500$. How can I prepare cheaper certificates? My business is small and
I can't refund for such expensive certificates.
thanks for any help

On Wed, Apr 28, 2010 at 8:29 AM, ㅤ ㅤRockey <skg102 () gmail com> wrote:
Hello,


  Well you can increase the level of security of your website by
getting SSL certificate for you website.
Further you can check for vulnerabilities if there are any. OWASP is a
good source for web application security.
Check out and you may find some good programming practices for web.


Cheers,
Rockey

On Wed, Apr 28, 2010 at 2:21 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby () gmail com> wrote:
Hi
I have written a php website. In this site I sell some license and
serial number. I need to protect serial numbers and user names and
passwords against sniffers and crackers. Now I want to secure this
site and encrypt sessions using https.
What do i have to do?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
It's all about Hacking and Security

http://h4ck3r.in/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
Ali Asghar Torabi

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]