[thelist] Secure Site Expiration

Liam Delahunty ldelahunty at britstream.com
Tue May 7 09:19:01 CDT 2002

Belinda Johnson wrote:

> Well, as expected, I didn't make any friends at BuySharpSigns yesterday.

Firstly, do you really need to do business with them? Perhaps it's just my
interpretation of their email, but I find it rather rude and quite frankly
I'd walk away.

> [ ... removed lots of stupidity from "them" ... ]

Depending on how they've treated you personally I would consider letting
their bank know that don't use SSL as they don't consider the industry
standard data encryption methodology good enough. Worse still rather than
use something else they use nothing and between the browser and server and
respond to questions with FUD or as you Americans might say, BS.

SSL is a protocol. It is used with server software and ensures that all
communications between the browser and the server are encrypted. So
information such as your credit card number can't be seen in transit.

You don't need a verisign certificate to encrypt your data. One buys a
certificate to help prove who you are, in itself it is not an encryption
mechanism, but it helps to prove to others who you are . The seller of the
certificate is a trusted third party (Verisign/thawte /whomever) they should
make some checks on your domain, and on the company that own the domain.
This is so anyone visiting the site can be reasonably sure you are who you
say you are. When I bought a cert for my domain I had to send copies of
various documents proving that I owned my company. IIRC I had to show my
birth certificate, which is cool 'cos it's in Welsh!

Anyway, see here https://www.eurodrama.com/ you should get a dialogue box
warning about the cert as it hasn't been authenticated by a trusted third
party. I generated my own cert. The data will still be encrypted, but you
don't really know who I am. (Because a trusted third party doesn't know me.)

Now see https://secure.britstream.com no warning, because that cert has been
trusted. In fact I use this cert/server for most of my client that doesn't
have their own IP and don't really require their own cert/ip

With their system when I complete a form the data will be sent from my
browser to their server in plain text. It really doesn't matter that they
firewall their own server, anybody with sniffing tools pointed at their
domain/IP can "overhear" all the plain text conversation between browser and
server, and because of this thread someone right now is doing just that.

In fact, even if it was encrypted they could still over hear it, but seeing
as it looks like this:
qMnpH+RAAW/LHkUFnRZ6xAWy3c5xWVL3WchQ11vnTB2BkihjFSZvLd/RiC63vHMJ even if
it's sniffed it means nothing to the snooper.

Sessions are just a method of keeping concurrent user-actions separate.
Nothing more clever than that. Certainly they have no real impact on the
security of the server.

While they don't _need_ a Verign/thawte certificate, they do need SSL.

Kind regards,
Liam Delahunty
Mega Products Limited, 10-11 Moor Street, London W1D 5NF
t: 020 7434 4201/2 f: 0870 135 8412 m: 07941 589 061
http://www.liamdelahunty.com/ web/ design/ database/ programming
http://www.britstream.com/ Hosting/ Domain Names From UKP 7.50 p.a.

More information about the thelist mailing list