Re: How can I secure my site?

[Walter Goulet <wgoulet () gmail com>]

Hi,

The most significant difference between a certificate you create
yourself (a self-signed certificate) vs. one you get from a CA is that
uses who visit your website will see a certificate error message since
the certificate is not signed by a root CA that is built into the
browser.

In order to avoid these errors, your users will have to accept the
self-signed certificate as an exception that is stored permanently in
their browser (until the certificate expires when they will have to do
it again).

In general, it is not a good security practice to use self-signed
certificates except in very controlled, specific environments like
corporate intranets or private networks. You will also find yourself
bogged down supporting users who are wondering what the error message
means and what steps they need to take to accept the certificate as an
exception.

For a full ad-nasueam treatment, I wrote a SANS gold paper on
assessing enterprise PKI deployments which has some good background on
certificates and how they are used in SSL:
http://www.sans.org/reading_room/whitepapers/auditing/analyzing-enterprise-pki-deployments_33284

Walter

On Sat, May 1, 2010 at 2:55 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby () gmail com> wrote:
> Hello everybody. Thanks for your help.
> I have not https folder on my host. When I asked my ISP they said that
> you must pay 50$ for each SSL certificate. What is the difference
> between SSL certificate that we purchase from certificate authorities
> with others which created by ourselves?
> According to I haven't https folder on host, How can I make it for myself?
> Thanks for your considerations for these naive questions.
>
>
> On Sat, May 1, 2010 at 10:17 AM, TAS <p0wnsauc3 () gmail com> wrote:
> > Hi Ali,
> >
> > You can also have a self signed certificate created for free. It will be pretty much the same as a paid certificate 
> > but it just that you are yourself gonna be the issuer as opposed to an authority like CA or Verisign.
> >
> > Secondly, it will be an good idea to get a pentest done before you go live with the website. This pen test will 
> > pretty much take care of your concerns with regards to security.
> >
> > One your business flourishes you can afford to buy and certificate.
> >
> > Cheers
> > TAS!
> >
> > Sent from BlackBerry® - Vodafone
> >
> > -----Original Message-----
> > From: Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com>
> > Date: Wed, 28 Apr 2010 09:12:40
> > To: <security-basics () securityfocus com>
> > Cc: Rockey<skg102 () gmail com>
> > Subject: Re: How can I secure my site?
> >
> > HI. thanks for reply
> > I searched certificate authorities and I found that their certificates
> > are very expensive. for example lowest security level by Verisign is
> > 500$. How can I prepare cheaper certificates? My business is small and
> > I can't refund for such expensive certificates.
> > thanks for any help
> >
> > On Wed, Apr 28, 2010 at 8:29 AM, ㅤ ㅤRockey <skg102 () gmail com> wrote:
> > > Hello,
> > >
> > >
> > >   Well you can increase the level of security of your website by
> > > getting SSL certificate for you website.
> > > Further you can check for vulnerabilities if there are any. OWASP is a
> > > good source for web application security.
> > > Check out and you may find some good programming practices for web.
> > >
> > >
> > > Cheers,
> > > Rockey
> > >
> > > On Wed, Apr 28, 2010 at 2:21 AM, Ali Asghar Toraby Parizy
> > > <aliasghar.toraby () gmail com> wrote:
> > > > Hi
> > > > I have written a php website. In this site I sell some license and
> > > > serial number. I need to protect serial numbers and user names and
> > > > passwords against sniffers and crackers. Now I want to secure this
> > > > site and encrypt sessions using https.
> > > > What do i have to do?
> > > >
> > > > ------------------------------------------------------------------------
> > > > Securing Apache Web Server with thawte Digital Certificate
> > > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > > certificates.
> > > >
> > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > > ------------------------------------------------------------------------
> > >
> > >
> > >
> > > --
> > > It's all about Hacking and Security
> > >
> > > http://h4ck3r.in/
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
>
>
> --
> Ali Asghar Torabi
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------