Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: how to secure a commercial web site
From: info () biledge com
Date: Wed, 12 May 2004 14:02:16 +0300

Jeffrey, if i get what i pay for, i would do it..but this is the problem, they are not
secure enough, i can see this with my half knowledge..it means even if i pay for a certificate,
the reality will remain same : the security is depending on the user's computer's security. 
and even if every user has its own private key, it wont be a solution. am i making a 'terrible'
mistake in my thinking ??
..
alternative (and weak) thought : if i prepare my web page as https and if i put it into a secure 
server, and if i create my own certificate; will i have a 'secure' system ?
 
thank you for your patience,
regards,
bilur

On 11 May 2004 at 9:51, Levenglick, Jeff wrote:

James,

I think he was only asking/looking at ssl. We would have a very
long email if we were to talk about security. (Firewall,app level
security, tokens, secure os ....ect)

It is very common and cheap for people to want to just setup a quick
web server for business. (ssl) Secure? Not really, but what really is?
Expensive? Yes.. you get what you pay for. 

Jeffrey 

-----Original Message-----
From: Brown, James F. [mailto:James.F.Brown () fmr com]
Sent: Tuesday, May 11, 2004 09:26 AM
To: Levenglick, Jeff; info () biledge com; webappsec () securityfocus com
Subject: RE: how to secure a commercial web site


There is a LOT more to security than having a certificate on your
server. It's necessary, but not sufficient.

================================
James F. Brown, CISM
Sr. Director, Information Security
Fidelity Investments
james.f.brown AT fmr.com
http://www.fidelity.com


-----Original Message-----
From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] 
Sent: Tuesday, May 11, 2004 8:58 AM
To: info () biledge com; webappsec () securityfocus com
Subject: RE: how to secure a commercial web site


Bilur,

You can buy your own cert server. (RSA Keon for example) 
At that point, you can create your own certs. (expire them when you
want..ect)

Also..

You then have two options.

1) Pay a fee and have your cert server 'trusted' via Verisign or other
CA's
or
2) Leave it 'private' and just provide your CA cert to the users so they
will
trust you. (if you don't it will still work. They will just see a
message about
trusting your site)


Jeffrey 
-----Original Message-----
From: info () biledge com [mailto:info () biledge com]
Sent: Tuesday, May 11, 2004 05:12 AM
To: webappsec () securityfocus com
Subject: how to secure a commercial web site


hi,
i am trying to secure -SSL certificated- a commercial web site without
using verisign, global 
sign, etc. it seems there is a monopoly an i want to be out of it. does
anyone know a better 
way to secure the web site or do i have to pay money, (even) for
security ?   
regards, bilur


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

-----------------------------------------
This e-mail message is private and may contain confidential or privileged information.







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]