securing a website

Anon

Hello folks,

Is it possible to have a website hosted on the internet which sends out and receives in only a secure encrypted way.

Any thoughts or insights would be very kindly received.

Paul

[deleted]

Sure, use SSL.

Anon

So you can have your host serve out pages using https://www.mysite.com but not allow pages https://www.mysite.com and this totaly secure ? any drawbacks ??

kind regards

paul

Anon

sorrythat should be..

So you can have your host serve out pages using https://www.mysite.com but not allow pages http://www.mysite.com and this totaly secure ? any drawbacks ??

kind regards

paul

[deleted]

Yes that is possible.

But, that only encrypts the data during transport, ie: nobody can 'eavesdrop' on your data. This does NOT protect you in any way against hackers.

Drawbacks are that only SSL capable clients can connect (most popular browsers) and your server gets a higher load because everything must be encryted before sending.

edwardsbc

There is some overhead involved in doing the encryption, but on most computers this is trivial. Of course, the client's browser needs to support SSL.

SSL encrypts the contents of the HTTP stream and well behaved proxies and caches will not cache a https:// page. (Even if they do, the page would still have to be decrypted, a non-trivial task with 128 bit encryption; easier with 56 or 40 bit.)

If you really have important, confidential information, you should get a trusted third party certificate so users would know right away if your site was being spoofed. (You can generate your own certificate and still utilize ssl, but so could an interloper pretending to be your site.)

Similarly, if you only want certain client to access your cite, make them get certificates and instruct your web server only to serve web pages to clients with authorized certificates.

Anon

Thankyou vincent and craig for you informative replies.Just a couple of follow up questions..

What versions of IE an NS support SSL ?

Does the process of encrypting the data server side and then decrypting this data client side slow down the download time overall in a significant way ?

can you quantify it ?

Kind regards

Paul

Anon

What I did not mention Vincent is that the purpose of this exercise is a temporary one.

We are putting our server up next week and as such are setting the whole thing secure using .htaccess for our eyes only and the purpose of the SSL is to make the data stream secure whilst we are logged in and live testing.

Does this sound logical? and do you think this is a good enough way to prevent being hacked (we also have a 16 network card firewall at the ISP)

Thanks
Paul

[deleted]

Like I posted before, using SSL does not protect you against hackers at all, it only prevents people from eavesdropping. They can still try to connect and the server will still answer their requests.

If you want to make the server 'your eyes only' you should just use one .htaccess in the documentroot. That way only people who know the password can login.

Yu can also tell the server to listen only to request that come from a predefined set of IP numbers, but that is very close to paranoia, no website is that important.

Anon

Hello folks

How do i prevent my secure server from serving out http and instead only https.

I suppose if i hard code https everywhere into the code that i have written ,all relative links will be relative to a https, but what if a user trys their look and types http://www.mysite.com
instead of https://www.mysite.com.

Does the the host server need to be configured to prevent unsecure transmissions on http://

Any Thoughts or insights would be kindly received.

Paul

[deleted]

HTTP and HTTPS are two seperate servers.
The HTTP server listens on port 80, the HTTPS listens on a different port. The server that listens on the HTTPS port will only serve secure page, and nothing else.

So it is quite impossible to type HTTP, get to the HTTPS server, and get a non-encrypted page.

rfrid

It sounds like you're trying to encrypt authentication and not your data itself. Is this correct?

If that is the case then you haven't stated the platform you are using (NT or Unix).

If its NT then you can simply activate "Integrated Windows Authentication" under the virtual directory properties/Directory Security/Anonymous Access and Authentication Control.

*****Make sure to deactivate "Anonymous" and "Basic" when you do this.

This will ensure your authentication utilizes Base64 encoded NTLM authentication (which I won't get into here) when users log on. Nobody can hack you site (except guess user names and passwords like any site) and your authentication sequence will be encrypted.

[deleted]

"Nobody can hack you site"

Wasn't IIS declared to be the most crap webserver out there because of the contining stream of patches for serious security flaws?

"This will ensure your authentication utilizes Base64 encoded NTLM authentication"

and that is probably one of the reasons why it was declared insecure :-)

edwardsbc

All the "modern" browsers support SSL. You should research it yourself, but I think NS 3+ and IE 4+ support it fine.

I have never quantified the overhead associated with encrypting the datastream. None of my servers are busy enough to warrant even trying to measure it. Remember, encryption is CPU intensive and most webservers are bound by I/O. If the web server is near CPU limits already for some reason, then SSL could impact it's performance.