[thelist] Secure Site Expiration

Belinda Johnson belinda at prodsol.net
Mon May 6 15:47:01 CDT 2002

Well, as expected, I didn't make any friends at BuySharpSigns yesterday. As
that was never the intended result, I'm still flinching from the response
from their technical people. Again, for those of you who are more
knowledgeable than I in ASP sessions and SSL, please read the response I got
and just let me know if it is on track. Thanks again.

>From their company:

There are several misconceptions about server security that are either
misunderstood or someone is pulling someone's leg.

Here's how it works...

First, a server certificate creates a circular authentication.  The web site
is requested by a browser.  Next, the browser determines if a certificate
exists.  Note that it does not have to be a verisign certificate, it can be
a certificate that is self generated by the site.
Once the browser determines that a certificate exists, the authority for
that certificate is contacted to see if the certificate is valid. In the
case of verisign, their database is contacted to determine if the
certificate is in fact assigned to that specific IP address AND that
specific web address (URL).  If it is valid then the rest of the processing
is completed.  NOTE that nothing here encrypts or does anything with the

Now, encrypted data is a function of the web server software, like apache or
IIS from Microsoft.  How it is encrypted can take many forms but the most
common is to use HTTPS as the protocol.  This is NOT the only way encryption
takes place.  As a matter of fact, it is the very LEAST secure of all the

Ok, to  your site and how it works.  When a customer goes to the Country
Bunny site and logs in, they are in HTTPS within the Country Bunny site.
They then navigate to the Business Center and select the banners link on the
left menu.  This takes them to the Sharp Signs web site which uses HTTP as
the protocol.  Note that the Sharp Signs web site and database is protected
behind several fire walls which prevent hacking.  Using Microsoft's ASP
protocol, data is collected and sent back to the "secure server" at Country

A little about ASP.  ASP uses a technology called "sessions".  Sessions
cannot be duplicated by a hacker.  Sessions are a combination of the server
address, the time of day, the browsers id and several other indicators that
are ONLY available for the moment in time that the screen is created.  The
data and the screen do NOT exist either on the server OR on the browser
other than in the browsers temporary memory.  ASP is a complex protocol and
paired with "sessions" is very secure.

Ok, why do people think that it is not secure?  Because verisign has led
people to this conclusion.  If you read the paragraph about server
certificates you'll see that the certificate, in  reality, has nothing to do
with the security of a credit card number or any other data.  If only
verifies that the server the user is connected to has a verifiable

You and I had spoken last week about purchasing a site certificate for the
Sharp Signs web site to give a sense of confidence to the customer that
their data is secure.  We are in the process of doing this but, Verisign
still needs to contact you regarding the authenticity of the information
within your incorporation document that was faxed to us.

As soon as they verify this, and generate the corresponding certificate key,
we will install it and make the changes to the site to use HTTPS as the

Again, I'm not sure what the people below are talking about but, the above
information is how site security works.  I would be more than happy to
conduct a class for the "major techies" on how this all works.  SMS seems to
think I know what I'm talking about, after all, I teach the e-commerce /
e-business class there.


More information about the thelist mailing list