RE: how to secure a commercial web site

[info () biledge com]

Jeffrey, if i get what i pay for, i would do it..but this is the problem, they are not
secure enough, i can see this with my half knowledge..it means even if i pay for a certificate,
the reality will remain same : the security is depending on the user's computer's security. 
and even if every user has its own private key, it wont be a solution. am i making a 'terrible'
mistake in my thinking ??
..
alternative (and weak) thought : if i prepare my web page as https and if i put it into a secure 
server, and if i create my own certificate; will i have a 'secure' system ?
 
thank you for your patience,
regards,
bilur

On 11 May 2004 at 9:51, Levenglick, Jeff wrote:

> James,
>
> I think he was only asking/looking at ssl. We would have a very
> long email if we were to talk about security. (Firewall,app level
> security, tokens, secure os ....ect)
>
> It is very common and cheap for people to want to just setup a quick
> web server for business. (ssl) Secure? Not really, but what really is?
> Expensive? Yes.. you get what you pay for. 
>
> Jeffrey 
>
> -----Original Message-----
> From: Brown, James F. [mailto:James.F.Brown () fmr com]
> Sent: Tuesday, May 11, 2004 09:26 AM
> To: Levenglick, Jeff; info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> There is a LOT more to security than having a certificate on your
> server. It's necessary, but not sufficient.
>
> ================================
> James F. Brown, CISM
> Sr. Director, Information Security
> Fidelity Investments
> james.f.brown AT fmr.com
> http://www.fidelity.com
>
>
> -----Original Message-----
> From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] 
> Sent: Tuesday, May 11, 2004 8:58 AM
> To: info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> Bilur,
>
> You can buy your own cert server. (RSA Keon for example) 
> At that point, you can create your own certs. (expire them when you
> want..ect)
>
> Also..
>
> You then have two options.
>
> 1) Pay a fee and have your cert server 'trusted' via Verisign or other
> CA's
> or
> 2) Leave it 'private' and just provide your CA cert to the users so they
> will
> trust you. (if you don't it will still work. They will just see a
> message about
> trusting your site)
>
>
> Jeffrey 
> -----Original Message-----
> From: info () biledge com [mailto:info () biledge com]
> Sent: Tuesday, May 11, 2004 05:12 AM
> To: webappsec () securityfocus com
> Subject: how to secure a commercial web site
>
>
> hi,
> i am trying to secure -SSL certificated- a commercial web site without
> using verisign, global 
> sign, etc. it seems there is a monopoly an i want to be out of it. does
> anyone know a better 
> way to secure the web site or do i have to pay money, (even) for
> security ?   
> regards, bilur
>
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or
> privileged information.
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or privileged information.