Http to Https Secure Transmission?
Hi, We are about to rollout access to a Commerce 1 application server through single sign-on from the intranet. Will a SSL cert need to be on both ends to make the connection secure(the form submitting the Login/Pass and the C1 server)? I have received varying answers on this subject. Verisign says yes definitely. But then I look at sites like this: http://online.firstusa.com/bolHome.aspx?partner=fusacorp and the login page is non sol submitting to a sol page? Is this information sent in the clear? I assume so? Unless it is being encrypted before being sent? thanks for your input sean ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Http to Https Secure Transmission?
If you only need to secure their username/password, you only need SSL on the recieving server. However, that won't give the user a lock icon on the signin form, because the form isn't secure, only the data submitted from the form. If you submit to an SSL encrypted URL, the first thing the browser does (well, after DNS and such) is create a secure connection, then it passes the form data, then it recieves the resulting page. Whether the page that is doing the submission is encrypted is completely irrelevant. If the previous page had to be encrypted to start an encrypted session, then there would be a Catch-22 preventing you from ever getting into an encrypted session, which is obviously not the case, as SSL is used all over the place. You have to weigh user experience as well. Will they be comfortable without that lock icon on the signin form? Most users don't understand that the submission is secure if the destination is secure, they just think if the form has a lock, it's secure. HTH, barneyb --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.671.8708 x12 fax : 360.647.5351 www.audiencecentral.com -Original Message- From: Sean McCarthy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:09 AM To: CF-Talk Subject: Http to Https Secure Transmission? Hi, We are about to rollout access to a Commerce 1 application server through single sign-on from the intranet. Will a SSL cert need to be on both ends to make the connection secure(the form submitting the Login/Pass and the C1 server)? I have received varying answers on this subject. Verisign says yes definitely. But then I look at sites like this: http://online.firstusa.com/bolHome.aspx?partner=fusacorp and the login page is non sol submitting to a sol page? Is this information sent in the clear? I assume so? Unless it is being encrypted before being sent? thanks for your input sean ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Http to Https Secure Transmission?
Listen to what Barney said. Verisign is in the business of selling certificates and they BS'd you, from the sound of it. As was pointed out, a form without the little lock on it is not secure insofar as a user is concerned. They'd have to do a View Source to see the secure form post addr, which very few will do of course. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com I've stopped 47,866 spam messages. You can too! Get your free, safe spam protection at http://www.cloudmark.com/spamnetsig/ -Original Message- From: Sean McCarthy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:09 AM To: CF-Talk Subject: Http to Https Secure Transmission? Hi, We are about to rollout access to a Commerce 1 application server through single sign-on from the intranet. Will a SSL cert need to be on both ends to make the connection secure(the form submitting the Login/Pass and the C1 server)? I have received varying answers on this subject. Verisign says yes definitely. But then I look at sites like this: http://online.firstusa.com/bolHome.aspx?partner=fusacorp and the login page is non sol submitting to a sol page? Is this information sent in the clear? I assume so? Unless it is being encrypted before being sent? thanks for your input sean ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Http to Https Secure Transmission?
Thanks guys. We are sending the l/p from a db call behind the scenes so the lack of the lock is not too much of a concern I just wanted to avoid having to put a cert on my site... sean -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 2:37 PM To: CF-Talk Subject: RE: Http to Https Secure Transmission? Listen to what Barney said. Verisign is in the business of selling certificates and they BS'd you, from the sound of it. As was pointed out, a form without the little lock on it is not secure insofar as a user is concerned. They'd have to do a View Source to see the secure form post addr, which very few will do of course. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com I've stopped 47,866 spam messages. You can too! Get your free, safe spam protection at http://www.cloudmark.com/spamnetsig/ -Original Message- From: Sean McCarthy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:09 AM To: CF-Talk Subject: Http to Https Secure Transmission? Hi, We are about to rollout access to a Commerce 1 application server through single sign-on from the intranet. Will a SSL cert need to be on both ends to make the connection secure(the form submitting the Login/Pass and the C1 server)? I have received varying answers on this subject. Verisign says yes definitely. But then I look at sites like this: http://online.firstusa.com/bolHome.aspx?partner=fusacorp and the login page is non sol submitting to a sol page? Is this information sent in the clear? I assume so? Unless it is being encrypted before being sent? thanks for your input sean ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
