>> Does the SSL certificate generate a hash of the data on the client, then >> generate another hash on the server and notify me if the data was tampered >> with? > >No....it encrypts it so if someone catches it mid-transmission they would >still >have to decrypt it...which would take a bloody long time without a Cray II >supercomputer ;-) ...and of course decrypts it once received. > >A hash cannot be undone...one-way only > >You're confusing hash validation....stop using Bit Torrent ;-) > >Cheers > >Bryan Stevenson B.Comm. >VP & Director of E-Commerce Development >Electric Edge Systems Group Inc. >phone: 250.480.0642 >fax: 250.480.1264 >cell: 250.920.8830 >e-mail: [EMAIL PROTECTED] >web: www.electricedgesystems.com > >Notice: >This message, including any attachments, is confidential and may contain >information that is privileged or exempt from disclosure. It is intended >only for the person to whom it is addressed unless expressly authorized >otherwise by the sender. If you are not an authorized recipient, please >notify the sender immediately and permanently destroy all copies of this >message and attachments.
Thanks for the info. I realize that a hash is one way, it can be used for data integrity checks and hiding a password in a DB. I took an on-line application security course from a DOD web site about a week ago and I was trying to figure out how to actually apply what they explained. Basically what I understood was there are five security checks that should be performed with concern to web application security: 1. Identification and Authentication, 2. Access Control, 3. Data confidentiality, 4.Data Integrity and 5. Nonrepudiation. I started looking into data integrity, because according to the course, SSL is used for confidentiality, not Data Integrity, and one should never be used as a substitute for the other. And as I started digging, I discovered that the CF hash and encrypt functions are great, but they cannot be used because they execute on the server, they can be used for storing the data, once the data has arrived, I know. I now realize that if I want to follow good security practice I need to come up with a way to hash the data on the web site before it is transmitted so I can check the hash when it gets to the server, to ensure the integrity of the data. I guess I also need to get a better understanding of SSL, maybe some modes of SSL will do that, and I just need to make sure I purchase a certificate that does hash checking along with encryption. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:286884 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
