Re: SSL certificate problem with 3rd party

[Wil Genovese]

I was helping Jason with this a bit before he posted here, but didn’t have time 
to do full tests. 

I have run into this situation before and that time it ‘automagically’ started 
working the next day with an unaltered keystore. Arg!

So this issue:

I have a Win 7 VM with CF8.0.1 fully patched and CF10 fully patched.  Both 
jvm.config files are edited to use the exact same JVM at "c:\program 
files\jdk1.6.0_45\jre” and the exact same keystore cacerts file. This cacerts 
is the one that came with jdk 1.6.0_45.  BEFORE importing the Comodo cert 
CF8.0.1 CFHTTP fails with with error “I/O Exception: Name in certificate 
`internetsecure.com' does not match host name `test.internetsecure.com’”.  CF10 
is successful.  Next I imported the cert 
“COMODOHigh-AssuranceSecureServerCA.crt” from Comodo and restarted CF8.0.1. 
After the restart I still get the same error message on CF8.0.1 and after 
restarting CF10 it still works. 

I’ve pulled my hair out before on this without luck other than in one case an 
SSL cert automagically started working. 

I have in the past looked for any documentation that Adobe updated CFHTTP 
between CF8 and CF10 I have not found anything yet. However, something must 
have changed to allow certs with Subject Alternate Names. 


Regards,



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Jan 16, 2014, at 4:38 PM, Byron Mann  wrote:

> 
> Apologies, Justin is correct. I tested this on one of our CF 8 servers and
> the host file/IP manipulation worked as stated.
> 
> I'm so used to dealing with the * certificate issue, I wasn't aware this
> wasn't the case for the new certificates with the multiple names.
> 
> FYI, I tried things out on CF 10, and it appears to accept these types of
> certificates without issue.
> 
> Byron Mann
> Lead Engineer & Architect
> HostMySite.com
> 
> 
> On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott wrote:
> 
>> 
>>> You will need to import the  star (*) certificate into the keystore for
>> the
>>> java instance ColdFusion is running upon.
>>> 
>>> Basically ColdFusion doesn't like to speak to *.domain.com certificates
>> (I
>>> think CF10 doesn't mind so much), as it is not an exact match to the URL
>> it
>>> is attempting to access.
>> 
>> In this case it's not a wildcard certificate, it's a standard cert
>> using the "subject alternative names" extension which isn't supported
>> on Java 6.  Importing the certificate into the Java keystore won't
>> help in this case because the primary name on the certificate doesn't
>> match the hostname being called.  Java will only check against the
>> primary hostname and not the "alternative names" listed in the
>> certificate.  Calling the primary hostname on the certificate and
>> using a hosts entry to override the DNS entry to direct it to the
>> right IP is the only workaround in this instance.
>> 
>> 
>> -Justin Scott
>> 
>> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357470
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Wil Genovese]

Simply stating it works on ColdFusion 10 is meaningless. ColdFusion 10 installs 
with Java 1.6 by default. So unless you’ve patched CF10 and explicitly 
installed Java 1.7 and edited your jvm.config to use Java 1.7 you are still on 
Java 1.6.





Wil Genovese 
Owner / Sr Web Application Developer / Systems Administrator
Trunkful Technologies, inc.
729 Dodd Road Saint Paul, MN 55107 | m: 651-894-4238 | skype: wilgeno
wilg...@trunkful.com | http://www.trunkful.com






On Jan 16, 2014, at 4:38 PM, Byron Mann  wrote:

> 
> Apologies, Justin is correct. I tested this on one of our CF 8 servers and
> the host file/IP manipulation worked as stated.
> 
> I'm so used to dealing with the * certificate issue, I wasn't aware this
> wasn't the case for the new certificates with the multiple names.
> 
> FYI, I tried things out on CF 10, and it appears to accept these types of
> certificates without issue.
> 
> Byron Mann
> Lead Engineer & Architect
> HostMySite.com
> 
> 
> On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott wrote:
> 
>> 
>>> You will need to import the  star (*) certificate into the keystore for
>> the
>>> java instance ColdFusion is running upon.
>>> 
>>> Basically ColdFusion doesn't like to speak to *.domain.com certificates
>> (I
>>> think CF10 doesn't mind so much), as it is not an exact match to the URL
>> it
>>> is attempting to access.
>> 
>> In this case it's not a wildcard certificate, it's a standard cert
>> using the "subject alternative names" extension which isn't supported
>> on Java 6.  Importing the certificate into the Java keystore won't
>> help in this case because the primary name on the certificate doesn't
>> match the hostname being called.  Java will only check against the
>> primary hostname and not the "alternative names" listed in the
>> certificate.  Calling the primary hostname on the certificate and
>> using a hosts entry to override the DNS entry to direct it to the
>> right IP is the only workaround in this instance.
>> 
>> 
>> -Justin Scott
>> 
>> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357469
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Justin Scott]

> FYI, I tried things out on CF 10, and it appears to accept these types of
> certificates without issue.

What's the JVM version you're using on that installation?


-Justin

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357468
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Byron Mann]

Apologies, Justin is correct. I tested this on one of our CF 8 servers and
the host file/IP manipulation worked as stated.

I'm so used to dealing with the * certificate issue, I wasn't aware this
wasn't the case for the new certificates with the multiple names.

FYI, I tried things out on CF 10, and it appears to accept these types of
certificates without issue.

Byron Mann
Lead Engineer & Architect
HostMySite.com


On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott wrote:

>
> > You will need to import the  star (*) certificate into the keystore for
> the
> > java instance ColdFusion is running upon.
> >
> > Basically ColdFusion doesn't like to speak to *.domain.com certificates
>  (I
> > think CF10 doesn't mind so much), as it is not an exact match to the URL
> it
> > is attempting to access.
>
> In this case it's not a wildcard certificate, it's a standard cert
> using the "subject alternative names" extension which isn't supported
> on Java 6.  Importing the certificate into the Java keystore won't
> help in this case because the primary name on the certificate doesn't
> match the hostname being called.  Java will only check against the
> primary hostname and not the "alternative names" listed in the
> certificate.  Calling the primary hostname on the certificate and
> using a hosts entry to override the DNS entry to direct it to the
> right IP is the only workaround in this instance.
>
>
> -Justin Scott
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357467
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Justin Scott]

> You will need to import the  star (*) certificate into the keystore for the
> java instance ColdFusion is running upon.
>
> Basically ColdFusion doesn't like to speak to *.domain.com certificates  (I
> think CF10 doesn't mind so much), as it is not an exact match to the URL it
> is attempting to access.

In this case it's not a wildcard certificate, it's a standard cert
using the "subject alternative names" extension which isn't supported
on Java 6.  Importing the certificate into the Java keystore won't
help in this case because the primary name on the certificate doesn't
match the hostname being called.  Java will only check against the
primary hostname and not the "alternative names" listed in the
certificate.  Calling the primary hostname on the certificate and
using a hosts entry to override the DNS entry to direct it to the
right IP is the only workaround in this instance.


-Justin Scott

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357465
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Byron Mann]

You will need to import the  star (*) certificate into the keystore for the
java instance ColdFusion is running upon.

Basically ColdFusion doesn't like to speak to *.domain.com certificates  (I
think CF10 doesn't mind so much), as it is not an exact match to the URL it
is attempting to access.

test.internetsecure.com != *.internetsecure.com as CF 8 sees it.

https://www.google.com/#q=coldfusion+import+ssl+certificate is a start as
to importing the certificate to the CF java instance.

To grab the certificate, use a web browser to go to the URL (
https://test.internetsecure.com).  Click on the SSL lock icon on the
browser.  Then there is usually an option to export/save the certificate.
Save that to a file.  Then use the keytool command line tool to import the
certificate file to your ColdFusion java instance.

The command would be something like this.

> keytool -import -v -trustcacerts -alias *.internetsecure.com -cert -file
c:\someServerCertFile.cer -keystore
c:\ColdFusion8\runtime\jre\lib\security\cacerts -storepass changeit



You will need to restart CF after that.



Byron Mann
Lead Engineer & Architect
HostMySite.com


On Thu, Jan 16, 2014 at 3:05 PM, Jason Durham  wrote:

>
> A payment processor changed one of their certificates which is causing CF
> to throw an exception when we try to connect via CFHTTP using SSL.
>
> The error message is: *I/O Exception: Name in certificate
> `internetsecure.com ' does not match host name
> `test.internetsecure.com '*
>
> You can view the certificate by navigating to
> https://test.internetsecure.com.  My browser doesn't seem to have problems
> with this cert, and I see a SAN that indicates this certificate should be
> valid for test.internetsecure.com.
>
> I've tried importing this cert into the keystore but received the same
> error.
>
> Can anyone provide assistance as to why CF 8.0.1 isn't happy with this
> certificate?
>
> Jason Durham
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357464
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Justin Scott]

> Can anyone provide assistance as to why CF 8.0.1 isn't happy
> with this certificate?

It sounds like they're using a certificate with multiple embedded
hostnames (known as alternative names) which is not supported by Java
6.  Importing the cert into the java cert cache won't help.  You will
need to have your CFHTTP call use the hostname that is specified as
their primary hostname in the certificate (internetsecure.com in this
case).  To get it to talk to their test server, you'll need to add an
entry in the server's hosts file to override the DNS entry for
internetsecure.com to use the IP address for test.internetsecure.com
which is 216.98.33.4, so in your hosts:

216.98.33.4 internetsecure.com

This will allow your code to talk to the appropriate server (test
server) using the hostname of the primary hostname in the certificate.
 Once you're in production it shouldn't be an issue unless their
production URL uses a different hostname than internetsecure.com.

We have to do this in production to get CF to talk to the E4 Global
Gateway from First Data as their certificate uses alternative names
and creates the same problem.  The other "gotcha" is that if you do
have to override their DNS entry in the hosts file you'll also need to
monitor their DNS entry for changes so you can update your hosts file
accordingly if they move something.  Loads of fun.


-Justin

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357459
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[John M Bliss]

I dealt with this same problem. In my case, solution was to edit hosts file
on server(s) so that internetsecure.com and test.internetsecure.com both
have the same IP and then, in your cfhttp, use the name that matches the
cert.


On Thu, Jan 16, 2014 at 3:05 PM, Jason Durham  wrote:

>
> A payment processor changed one of their certificates which is causing CF
> to throw an exception when we try to connect via CFHTTP using SSL.
>
> The error message is: *I/O Exception: Name in certificate
> `internetsecure.com ' does not match host name
> `test.internetsecure.com '*
>
> You can view the certificate by navigating to
> https://test.internetsecure.com.  My browser doesn't seem to have problems
> with this cert, and I see a SAN that indicates this certificate should be
> valid for test.internetsecure.com.
>
> I've tried importing this cert into the keystore but received the same
> error.
>
> Can anyone provide assistance as to why CF 8.0.1 isn't happy with this
> certificate?
>
> Jason Durham
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357457
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Jon Clausen]

Is it a 2048 bit cert?  I seem to remember CF8 needing a patch to handle those.

Jon


On Jan 16, 2014, at 3:05 PM, Jason Durham  wrote:

> 
> A payment processor changed one of their certificates which is causing CF
> to throw an exception when we try to connect via CFHTTP using SSL.
> 
> The error message is: *I/O Exception: Name in certificate
> `internetsecure.com ' does not match host name
> `test.internetsecure.com '*
> 
> You can view the certificate by navigating to
> https://test.internetsecure.com.  My browser doesn't seem to have problems
> with this cert, and I see a SAN that indicates this certificate should be
> valid for test.internetsecure.com.
> 
> I've tried importing this cert into the keystore but received the same
> error.
> 
> Can anyone provide assistance as to why CF 8.0.1 isn't happy with this
> certificate?
> 
> Jason Durham
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357456
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL certificate problem with 3rd party

[Jake Churchill]

If I remember correctly, the JVM keeps it's own cache of certificates.  I'd
search for the commands to remove a cert from the built-in java keystore.
 It's pretty simple using the keytool app but you might need to restart CF
to make it take.

-Jake


On Thu, Jan 16, 2014 at 2:05 PM, Jason Durham  wrote:

>
> A payment processor changed one of their certificates which is causing CF
> to throw an exception when we try to connect via CFHTTP using SSL.
>
> The error message is: *I/O Exception: Name in certificate
> `internetsecure.com ' does not match host name
> `test.internetsecure.com '*
>
> You can view the certificate by navigating to
> https://test.internetsecure.com.  My browser doesn't seem to have problems
> with this cert, and I see a SAN that indicates this certificate should be
> valid for test.internetsecure.com.
>
> I've tried importing this cert into the keystore but received the same
> error.
>
> Can anyone provide assistance as to why CF 8.0.1 isn't happy with this
> certificate?
>
> Jason Durham
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357455
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL on CFquery

[Richard White]

Thanks Russ, ill take a look into this

>You don't, afaik ypu simply need the client cert in the java keystore.
>See this
>http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html
>
>There is a handu cfadmin extension on riaforge.org for managing your
>keystore.
>
>Regards
>Russ Michaels
>www.michaels.me.uk
>www.cfmldeveloper.com - Free CFML hosting for developers
>www.cfsearch.com - CF search engine
>On Apr 16, 2013 5:33 PM, "Richard White"  wrote:
>
>> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355509
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL on CFquery

[Russ Michaels]

You don't, afaik ypu simply need the client cert in the java keystore.
See this
http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html

There is a handu cfadmin extension on riaforge.org for managing your
keystore.

Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Apr 16, 2013 5:33 PM, "Richard White"  wrote:

>
> Hi,
>
> We have a further issue with this.
>
> The hosting company have installed the SSL certificate on the database and
> provided us with the details of where the certificate is stored. However,
> in the CF connection string it asks to provide the url of the certificate.
>
> I am confused about how to get this to work. How would i instruct
> coldfusion to use the certificate on the database server?
>
> Thanks,
> Richard
>
>
>
>
> > Hi,
> >
> > We have a windows server for our CF application and a Linux server for
> > our database. We are setting up a self-signed SSL between the two
> > servers.
> >
> > Our hosting company have said we need to reference the SSL in the
> > connection string but how can I do this in a cfquery?
> >
> > Many thanks
> > Richard
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355450
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL on CFquery

[Richard White]

Hi,

We have a further issue with this. 

The hosting company have installed the SSL certificate on the database and 
provided us with the details of where the certificate is stored. However, in 
the CF connection string it asks to provide the url of the certificate. 

I am confused about how to get this to work. How would i instruct coldfusion to 
use the certificate on the database server?

Thanks,
Richard




> Hi,
> 
> We have a windows server for our CF application and a Linux server for 
> our database. We are setting up a self-signed SSL between the two 
> servers.
> 
> Our hosting company have said we need to reference the SSL in the 
> connection string but how can I do this in a cfquery?
> 
> Many thanks
> Richard 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355442
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL on CFquery

[Richard White]

Perfect! Many thanks Russ :)

> Do the following to enable SSL connection:
> 
   
> 1.
> 
   
> In the ColdFusion Administrator, go to Data & Services > Data Sources.
> 
   
> 2.
> 
   
> Select the data source to enable SSL Connection.
   
> 3.
> 
   
> In the data source page, click Show Advanced Settings.
   
> 4.
> 
   
> In the Connection String text box, specify the connection properties 
> as
   
> per the SSL requirements.
> 
> 
   
> you can find detail son the connection properties here
> 
> 
   
> http://help.adobe.com/en_US/ColdFusion/9.
> 0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-8000.html
> 
> 
> 
> 
> 
> 
> On Tue, Apr 16, 2013 at 12:58 PM, Richard White  
> wrote:
> 
> >
> > Hi,
> >
> > We have a windows server for our CF application and a Linux server 
> for our
> > database. We are setting up a self-signed SSL between the two 
> servers.
> >
> > Our hosting company have said we need to reference the SSL in the
> > connection string but how can I do this in a cfquery?
> >
> > Many thanks
> > Richard
> >
> >
> > 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355426
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL on CFquery

[Russ Michaels]

Do the following to enable SSL connection:

   1.

   In the ColdFusion Administrator, go to Data & Services > Data Sources.
   2.

   Select the data source to enable SSL Connection.
   3.

   In the data source page, click Show Advanced Settings.
   4.

   In the Connection String text box, specify the connection properties as
   per the SSL requirements.


   you can find detail son the connection properties here


   
http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-8000.html






On Tue, Apr 16, 2013 at 12:58 PM, Richard White  wrote:

>
> Hi,
>
> We have a windows server for our CF application and a Linux server for our
> database. We are setting up a self-signed SSL between the two servers.
>
> Our hosting company have said we need to reference the SSL in the
> connection string but how can I do this in a cfquery?
>
> Many thanks
> Richard
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355425
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connections To Oracle

[Robert Nurse]

Thanks Russ. In looking at that document, for Oracle, it refers to two 
properties: "KeyStore=path to keystore; and TrustStore=path to keystore;".  On 
Linux, would these to paths point to the "cacerts" file in 
%CF_Install_Path%/runtime/jre/lib/security?


> Dont know if this applies to cf8 but
> http://help.adobe.com/en_US/ColdFusion/9.
> 0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7fff.html
> 
> Regards
> Russ Michaels
> On Jul 23, 2012 3:20 PM, "Robert Nurse"  wrote:
> 


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351952
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connections To Oracle

[Russ Michaels]

Dont know if this applies to cf8 but
http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7fff.html

Regards
Russ Michaels
On Jul 23, 2012 3:20 PM, "Robert Nurse"  wrote:

>
> Hello All,
>
> Has anyone ever configured CF8 (Linux) datasources that used SSL
> connections to Oracle? That mandate is coming to our shop. Can anyone point
> me to or provide documentation on this?
>
> Thanks.
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351945
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connection to Postgresql

[David Patricola]

> > Thank you for the direction!  My only question with this is that the 
> host box is creating this keystore, so how will it be moved to the 
> remote client
> > box?
> 
> The server and client will have separate keystores. You simply need 
> to
> use keytool to import the server's certificates into the client's
> keystore. In this case, the client is your CF server.
> 
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
> 
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or 
onsite

Very much appreciated!

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342739
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connection to Postgresql

[Dave Watts]

> Thank you for the direction!  My only question with this is that the host box 
> is creating this keystore, so how will it be moved to the remote client
> box?

The server and client will have separate keystores. You simply need to
use keytool to import the server's certificates into the client's
keystore. In this case, the client is your CF server.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342732
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connection to Postgresql

[David Patricola]

> > I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set 
> to accept SSL connections only.  I have the 3 root/cert files 
> necessary for
> > the handshaking to occur between host and client.  The datasource to 
> the box works fine when unencrypted: jdbc:postgresql://x.x.x.x/main 
> (with
> > ?ssl=true to be appended for encryption).
> >
> > My question is where do I put these files?  I am running CF8 
> Enterprise on Windows 2003. On my local machine I would have them in 
> the
> > %appdata%/postgresql folder but this is a production-level box that 
> access the internet.
> 
> You'll have to add the server cert to the client's Java keystore as
> described here:
> http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php
 

Thank you for the direction!  My only question with this is that the host box 
is creating this keystore, so how will it be moved or copied to the remote 
client box?

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342730
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connection to Postgresql

[David Patricola]

> > I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set 
> to accept SSL connections only.  I have the 3 root/cert files 
> necessary for
> > the handshaking to occur between host and client.  The datasource to 
> the box works fine when unencrypted: jdbc:postgresql://x.x.x.x/main 
> (with
> > ?ssl=true to be appended for encryption).
> >
> > My question is where do I put these files?  I am running CF8 
> Enterprise on Windows 2003. On my local machine I would have them in 
> the
> > %appdata%/postgresql folder but this is a production-level box that 
> access the internet.
> 
> You'll have to add the server cert to the client's Java keystore as
> described here:
> http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php
 

Thank you for the direction!  My only question with this is that the host box 
is creating this keystore, so how will it be moved to the remote client box?

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342729
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SSL Connection to Postgresql

[Dave Watts]

> I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set to accept 
> SSL connections only.  I have the 3 root/cert files necessary for
> the handshaking to occur between host and client.  The datasource to the box 
> works fine when unencrypted: jdbc:postgresql://x.x.x.x/main (with
> ?ssl=true to be appended for encryption).
>
> My question is where do I put these files?  I am running CF8 Enterprise on 
> Windows 2003. On my local machine I would have them in the
> %appdata%/postgresql folder but this is a production-level box that access 
> the internet.

You'll have to add the server cert to the client's Java keystore as
described here:
http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsi

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342728
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: ssl

[Mahcsig]

If you are using IIS, this page got me going.
http://eduncan911.com/blog/getting-godaddy-ssls-working-in-firefox-on-iis.aspx

~Mahcsig



On Fri, Oct 2, 2009 at 2:39 PM, denstar  wrote:

>
> Maybe you need to install the "intermediate" certificate?  Usually the
> cert provider gives it to you with the cert.  In apache httpd.conf it
> goes in like this:
>
> SSLCertificateFile "/path/to/your.crt"
> SSLCertificateKeyFile "/path/to/your.key"
> SSLCertificateChainFile "/path/to/your/chainFile.crt"
>
> --
> It probably helps that my background is in the sciences and I can
> speak the scientists' language.
> David Chalmers
>
> On Fri, Oct 2, 2009 at 1:46 PM, Chad Gray wrote:
> >
> > Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class
> 2 certificate for some reason.
> >
> > I guess firefox does not have the CA chain in it.
> >
> > Thanks for the help!
>
> 

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326899
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: ssl

[denstar]

Maybe you need to install the "intermediate" certificate?  Usually the
cert provider gives it to you with the cert.  In apache httpd.conf it
goes in like this:

SSLCertificateFile "/path/to/your.crt"
SSLCertificateKeyFile "/path/to/your.key"
SSLCertificateChainFile "/path/to/your/chainFile.crt"

-- 
It probably helps that my background is in the sciences and I can
speak the scientists' language.
David Chalmers

On Fri, Oct 2, 2009 at 1:46 PM, Chad Gray wrote:
>
> Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class 2 
> certificate for some reason.
>
> I guess firefox does not have the CA chain in it.
>
> Thanks for the help!

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326867
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: ssl

[Chad Gray]

Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class 2 
certificate for some reason.

I guess firefox does not have the CA chain in it.

Thanks for the help!



> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 3:44 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> I think that simply translates what the user typed.  If they typed in the
> www, then it will be part of it.  If not, it won't. The CGI doesn't look
> into your web server to see what your actual domain name is.  Do this:
> 
> 
> 
> This will give you all the CGI variables and you can figure out what your
> results actually are with different attempts.
> 
> Dave
> 



~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326860
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: ssl

[Dave Phillips]

But you said the cert works fine in firefox when you go the
https://www.beeculture.com, right?  That's why I think Firefox is trying to
recognize the server side redirect and thinks it might be a hacking attempt.
Microsoft probably would never be so thoughtful to put that into IE. ;-)

On the other hand, if that is the case, then it's a headache for you and you
may have to put some firefox specific code into place (i.e. the client-side
redirect, only if it's firefox).  

Dump the CGI scope, I think you'll find everything you need there to
accomplish what you need...

Dave

-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com] 
Sent: Friday, October 02, 2009 2:35 PM
To: cf-talk
Subject: RE: ssl


OH.. hang on it only errors in firefox.  I tried IE and the certificate and
my original code work fine (after I remove the www.)  CGI.ServerName does
include www. (DUH!).

Now I just have to figure out why the SSL cert does not work in FireFox.  



> -Original Message-
> From: Chad Gray [mailto:cg...@careyweb.com]
> Sent: Friday, October 02, 2009 3:30 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> I tried this code and it takes me to http://www.www.beeculture.com/
> 
> www. Should not be part of CGI.ServerName right?
> 
> 
> 
> > -Original Message-
> > From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> > Sent: Friday, October 02, 2009 3:16 PM
> > To: cf-talk
> > Subject: RE: ssl
> >
> >
> > How about a client side redirect?
> >
> > 
> > 
> > window.location =
> >
> '<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#</a><
> > /c
> > foutput>';
> > 
> > 
> > 

RE: ssl

[Dave Phillips]

I think that simply translates what the user typed.  If they typed in the
www, then it will be part of it.  If not, it won't. The CGI doesn't look
into your web server to see what your actual domain name is.  Do this:



This will give you all the CGI variables and you can figure out what your
results actually are with different attempts.

Dave

-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com] 
Sent: Friday, October 02, 2009 2:30 PM
To: cf-talk
Subject: RE: ssl


I tried this code and it takes me to http://www.www.beeculture.com/

www. Should not be part of CGI.ServerName right?



> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 3:16 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> How about a client side redirect?
> 
> 
>   
>   window.location =
> '<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#</a><
> /c
> foutput>';
>   
>   
>   

RE: ssl

[Chad Gray]

OH.. hang on it only errors in firefox.  I tried IE and the certificate and my 
original code work fine (after I remove the www.)  CGI.ServerName does include 
www. (DUH!).

Now I just have to figure out why the SSL cert does not work in FireFox.  



> -Original Message-
> From: Chad Gray [mailto:cg...@careyweb.com]
> Sent: Friday, October 02, 2009 3:30 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> I tried this code and it takes me to http://www.www.beeculture.com/
> 
> www. Should not be part of CGI.ServerName right?
> 
> 
> 
> > -Original Message-
> > From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> > Sent: Friday, October 02, 2009 3:16 PM
> > To: cf-talk
> > Subject: RE: ssl
> >
> >
> > How about a client side redirect?
> >
> > 
> > 
> > window.location =
> >
> '<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#</a><
> > /c
> > foutput>';
> > 
> > 
> > 

RE: ssl

[Chad Gray]

I tried this code and it takes me to http://www.www.beeculture.com/

www. Should not be part of CGI.ServerName right?



> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 3:16 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> How about a client side redirect?
> 
> 
>   
>   window.location =
> '<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#</a><
> /c
> foutput>';
>   
>   
>   

Re: ssl

[Dave Watts]

> I have some code in application.cfm that is supposed to re-direct the user to 
> a non-ssl version of the page.
>
> 
> 
>        
>                 url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#"; 
> addtoken="no">
>        
>                http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#"; 
> addtoken="no">
>        
> 
>
>
> I get this error in Firefox when I try to use it:
>
> Secure Connection Failed
> invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
>
> (Error code: sec_error_unknown_issuer)
>
>   * This could be a problem with the server's configuration, or it could be 
> someone trying to impersonate the server.
>
>   * If you have connected to this server successfully in the past, the error 
> may be temporary, and you can try again later.
>
> Any ideas why this would happen?

Typically, this would indicate a self-signed or otherwise
untrustworthy certificate, but that's clearly not the problem as
you've made clear in your followup email. When you get this error,
have you accepted the certificate so that you can examine its
properties? Do you only get the error in Firefox? If you comment out
the block in question in Application.cfm, do you not get the error?

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figl

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326853
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: ssl

[Robert Harrison]

If you just want to kick them out of https you can do that with Java script
on the appropriate pages.


  var loc = document.location.toString();
  var index = loc.indexOf(":");
  var url = loc.substring(index,loc.length);
  if (index == "5") 
  { 
 standardUrl = "http" + url;
 location.replace(standardUrl); // get rid of current page
in history
 location.href = standardUrl;
  }
   


Robert B. Harrison
Director of Interactive Services
Austin & Williams
125 Kennedy Drive, Suite 100 
Hauppauge NY 11788
P : 631.231.6600 Ext. 119 
F : 631.434.7022
http://www.austin-williams.com 

Great advertising can't be either/or.  It must be &.

Plug in to our blog: A&W Unplugged
http://www.austin-williams.com/unplugged



-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com] 
Sent: Friday, October 02, 2009 3:06 PM
To: cf-talk
Subject: RE: ssl


I remove the code and hit the web site with ssl and it works fine.  I know
the certificate is good.

https://www.beeculture.com/

This one has me stumped.


> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 2:58 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> My guess is you don't have a valid security certificate on the server.  If
> you have any cert installed, Firefox is first going to get that cert info
> from the web server before your request ever gets to ColdFusion.  What you
> probably need to do is turn off the SSL on that site if you don't want
> people going to it.
> 
> If you want to accomplish the redirect below without a warning, you'll
> have
> to install a valid certificate.
> 
> Dave
> 
> -Original Message-
> From: Chad Gray [mailto:cg...@careyweb.com]
> Sent: Friday, October 02, 2009 1:43 PM
> To: cf-talk
> Subject: ssl
> 
> 
> I have some code in application.cfm that is supposed to re-direct the user
> to a non-ssl version of the page.
> 
> 
> 
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#";
> addtoken="no">
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#"; addtoken="no">
>   
> 
> 
> 
> I get this error in Firefox when I try to use it:
> 
> Secure Connection Failed
> invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
> 
> (Error code: sec_error_unknown_issuer)
> 
>* This could be a problem with the server's configuration, or it could
> be
> someone trying to impersonate the server.
> 
>* If you have connected to this server successfully in the past, the
> error may be temporary, and you can try again later.
> 
> 
> Any ideas why this would happen?
> Thanks!
> Chad
> 
> 
> 
> 
> 



~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326852
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: ssl

[Dave Phillips]

How about a client side redirect?



window.location =
'<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#</a></c
foutput>';


window.location =
'<cfoutput><a  rel="nofollow" href="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#">http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#</a></cfoutput>';
   



Maybe Firefox is trying to protect a user from hitting an SSL page that has
been hijacked somehow

Dave
-Original Message-----
From: Chad Gray [mailto:cg...@careyweb.com] 
Sent: Friday, October 02, 2009 2:06 PM
To: cf-talk
Subject: RE: ssl


I remove the code and hit the web site with ssl and it works fine.  I know
the certificate is good.

https://www.beeculture.com/

This one has me stumped.


> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 2:58 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> My guess is you don't have a valid security certificate on the server.  If
> you have any cert installed, Firefox is first going to get that cert info
> from the web server before your request ever gets to ColdFusion.  What you
> probably need to do is turn off the SSL on that site if you don't want
> people going to it.
> 
> If you want to accomplish the redirect below without a warning, you'll
> have
> to install a valid certificate.
> 
> Dave
> 
> -Original Message-
> From: Chad Gray [mailto:cg...@careyweb.com]
> Sent: Friday, October 02, 2009 1:43 PM
> To: cf-talk
> Subject: ssl
> 
> 
> I have some code in application.cfm that is supposed to re-direct the user
> to a non-ssl version of the page.
> 
> 
> 
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#";
> addtoken="no">
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#"; addtoken="no">
>   
> 
> 
> 
> I get this error in Firefox when I try to use it:
> 
> Secure Connection Failed
> invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
> 
> (Error code: sec_error_unknown_issuer)
> 
>* This could be a problem with the server's configuration, or it could
> be
> someone trying to impersonate the server.
> 
>* If you have connected to this server successfully in the past, the
> error may be temporary, and you can try again later.
> 
> 
> Any ideas why this would happen?
> Thanks!
> Chad
> 
> 
> 
> 
> 



~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326851
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: ssl

[Chad Gray]

I remove the code and hit the web site with ssl and it works fine.  I know the 
certificate is good.

https://www.beeculture.com/

This one has me stumped.


> -Original Message-
> From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
> Sent: Friday, October 02, 2009 2:58 PM
> To: cf-talk
> Subject: RE: ssl
> 
> 
> My guess is you don't have a valid security certificate on the server.  If
> you have any cert installed, Firefox is first going to get that cert info
> from the web server before your request ever gets to ColdFusion.  What you
> probably need to do is turn off the SSL on that site if you don't want
> people going to it.
> 
> If you want to accomplish the redirect below without a warning, you'll
> have
> to install a valid certificate.
> 
> Dave
> 
> -Original Message-
> From: Chad Gray [mailto:cg...@careyweb.com]
> Sent: Friday, October 02, 2009 1:43 PM
> To: cf-talk
> Subject: ssl
> 
> 
> I have some code in application.cfm that is supposed to re-direct the user
> to a non-ssl version of the page.
> 
> 
> 
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#";
> addtoken="no">
>   
>url="http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#"; addtoken="no">
>   
> 
> 
> 
> I get this error in Firefox when I try to use it:
> 
> Secure Connection Failed
> invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
> 
> (Error code: sec_error_unknown_issuer)
> 
>* This could be a problem with the server's configuration, or it could
> be
> someone trying to impersonate the server.
> 
>* If you have connected to this server successfully in the past, the
> error may be temporary, and you can try again later.
> 
> 
> Any ideas why this would happen?
> Thanks!
> Chad
> 
> 
> 
> 
> 

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326850
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: ssl

[Dave Phillips]

My guess is you don't have a valid security certificate on the server.  If
you have any cert installed, Firefox is first going to get that cert info
from the web server before your request ever gets to ColdFusion.  What you
probably need to do is turn off the SSL on that site if you don't want
people going to it.

If you want to accomplish the redirect below without a warning, you'll have
to install a valid certificate.

Dave

-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com] 
Sent: Friday, October 02, 2009 1:43 PM
To: cf-talk
Subject: ssl


I have some code in application.cfm that is supposed to re-direct the user
to a non-ssl version of the page.




http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#";
addtoken="no">

http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#"; addtoken="no">




I get this error in Firefox when I try to use it:

Secure Connection Failed
invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

   * This could be a problem with the server's configuration, or it could be
someone trying to impersonate the server.

   * If you have connected to this server successfully in the past, the
error may be temporary, and you can try again later.


Any ideas why this would happen?
Thanks!
Chad




~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326849
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL and https in ColdFusion

[Scott Stroz]

Sorry for the confusion...what I meant was that since AJAX requests
are just HTTP requests, they too should follow the same guidelines. I
believe if you are using SSL on the page, any AJAX calls form the CF
stuff should also use SSL.

On Tue, Sep 8, 2009 at 9:29 AM, Tom
Chiverton wrote:
>
> On Tuesday 08 Sep 2009, Scott Stroz wrote:
>> The bindings will call the onRequest in App.cfc as that is juts a
>> regular ole HTTP request.
>
> Are you saying even on HTTPS pages, CFAJAX calls go over HTTP, not HTTPS ?
>
> --
> Helping to preemptively generate synergistic infrastructures as part of the IT
> team of the year, '09 and '08
>
> 
>
> This email is sent for and on behalf of Halliwells LLP.
>
> Halliwells LLP is a limited liability partnership registered in England and 
> Wales under registered number OC307980 whose registered office address is at 
> Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list 
> of members is available for inspection at the registered office together with 
> a list of those non members who are referred to as partners.  We use the word 
> “partner” to refer to a member of the LLP, or an employee or consultant with 
> equivalent standing and qualifications. Regulated by the Solicitors 
> Regulation Authority.
>
> CONFIDENTIALITY
>
> This email is intended only for the use of the addressee named above and may 
> be confidential or legally privileged.  If you are not the addressee you must 
> not read it and must not use any information contained in nor copy it nor 
> inform any person other than Halliwells LLP or the addressee of its existence 
> or contents.  If you have received this email in error please delete it and 
> notify Halliwells LLP IT Department on 0870 365 2500.
>
> For more information about Halliwells LLP visit www.halliwells.co
>
> 

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326089
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL and https in ColdFusion

[Scott Brady]

On Mon, Sep 7, 2009 at 4:52 PM, Richard
McKenna wrote:
>
> Also I take it any cfincludes will automatically be called over https as 
> these are done before the file is sent to the browser?
>

You've gotten replies for the other issues, so I"ll just handle the
cfinclude issue.  You pretty much answer it yourself, but to specify
-- cfincludes aren't handled either through http or https, because
they're server-side calls and aren't called by the browser (and, thus,
don't use any web protocol).

Scott

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326084
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL and https in ColdFusion

[Tom Chiverton]

On Tuesday 08 Sep 2009, Scott Stroz wrote:
> The bindings will call the onRequest in App.cfc as that is juts a
> regular ole HTTP request.

Are you saying even on HTTPS pages, CFAJAX calls go over HTTP, not HTTPS ?

-- 
Helping to preemptively generate synergistic infrastructures as part of the IT 
team of the year, '09 and '08



This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and 
Wales under registered number OC307980 whose registered office address is at 
Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list 
of members is available for inspection at the registered office together with a 
list of those non members who are referred to as partners.  We use the word 
“partner” to refer to a member of the LLP, or an employee or consultant with 
equivalent standing and qualifications. Regulated by the Solicitors Regulation 
Authority.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be 
confidential or legally privileged.  If you are not the addressee you must not 
read it and must not use any information contained in nor copy it nor inform 
any person other than Halliwells LLP or the addressee of its existence or 
contents.  If you have received this email in error please delete it and notify 
Halliwells LLP IT Department on 0870 365 2500.

For more information about Halliwells LLP visit www.halliwells.co

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326083
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL and https in ColdFusion

[Scott Stroz]

For images/css/js files, if you use a relative path, the browser will
automatically use the protocol for the current page, so if your page
is HTTPS and you use a relative path for an image, the image will be
loaded using HTTPS.

The bindings will call the onRequest in App.cfc as that is juts a
regular ole HTTP request.

On Mon, Sep 7, 2009 at 6:52 PM, Richard
McKenna wrote:
>
> Hi all,
>
> I'm using SSL in a site for the first time and wasn't sure how to reference 
> external files within my pages (images, css, javascript etc.)
>
> I'm forcing the pages to use SSL with the following code, which will be 
> placed in my Application.cfc in the onRequest method.
>
> 
>     https://#CGI.HTTP_HOST##CGI.PATH_INFO#?#QUERY_STRING#";>
> 
>
> Do i need to give the full path (https://www.domain.com/images/image.jpg) for 
> every reference to other files?
>
> Also I take it any cfincludes will automatically be called over https as 
> these are done before the file is sent to the browser?
>
> Last of all how would ajax calls with cfdiv work?
>
> 
>
> Will these call the onRequest from the Application.cfc?
>
> Kind regards,
>
> Richard
>
> 

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326079
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL (HTTPS) Web Service

[Ian Skinner]

Casey Dougall wrote:
> I'm having the same issue here. Did these posts solve anything for ya Ian?

Solve, no.  The requirement went away.  So I just filed these links away 
for future reference for the next time I have to deal with this issue.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306149
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL (HTTPS) Web Service

[Casey Dougall]

I'm having the same issue here. Did these posts solve anything for ya Ian?


On Thu, Mar 20, 2008 at 9:45 AM, Ian Skinner <[EMAIL PROTECTED]> wrote:

> Is there some trick to consuming a web service over HTTPS(SSL) in
> ColdFusion.  I keep getting a "
>
>
>  Cannot generate stub objects for web service invocation." error when I
>  try to do so.
>
>
>
>
>
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306147
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL (HTTPS) Web Service

[James Holmes]

http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool

http://www.coldfusionmuse.com/index.cfm/2005/01/29/keystore

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19139

On Thu, Mar 20, 2008 at 11:36 PM, Ian Skinner <[EMAIL PROTECTED]> wrote:
> James Holmes wrote:
>  > If the server certificate is self-signed, you might need to import the
>  > root Certificate Authority into your CF server keystore.
>
>  I was afraid somebody was going to say something like that.  Much of
>  that is Greek to me.  Any good step-by-step, fool-proof how to on just
>  how one would do this just to play with a web service in development?
>
>
>
>  

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301646
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL (HTTPS) Web Service

[Ian Skinner]

James Holmes wrote:
> If the server certificate is self-signed, you might need to import the
> root Certificate Authority into your CF server keystore.

I was afraid somebody was going to say something like that.  Much of 
that is Greek to me.  Any good step-by-step, fool-proof how to on just 
how one would do this just to play with a web service in development?



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301643
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL (HTTPS) Web Service

[James Holmes]

If the server certificate is self-signed, you might need to import the
root Certificate Authority into your CF server keystore.

On Thu, Mar 20, 2008 at 10:45 PM, Ian Skinner <[EMAIL PROTECTED]> wrote:
> Is there some trick to consuming a web service over HTTPS(SSL) in
>  ColdFusion.  I keep getting a "
>
>
>   Cannot generate stub objects for web service invocation." error when I
>   try to do so.
>
>
>
>
>
>  

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301640
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Rick Faircloth]

Oh, come on James!  What's a little cannibalism between friends! :o)


> -Original Message-
> From: James Holmes [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 6:44 PM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> Depending on local laws, there are some things to which you simply
> can't agree. For example, I can't agree that you can kill me and cook
> me for dinner tonight - in most locations you are still going to be
> charged with murder, no matter what agreements we had in place.
> 
> On Jan 26, 2008 5:40 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> > I agree to a point, Claude... you're right that anything can
> > be overturned, but having a prior agreement is always good to have
> > on your side in court.
> >




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297506
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[James Holmes]

Depending on local laws, there are some things to which you simply
can't agree. For example, I can't agree that you can kill me and cook
me for dinner tonight - in most locations you are still going to be
charged with murder, no matter what agreements we had in place.

On Jan 26, 2008 5:40 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> I agree to a point, Claude... you're right that anything can
> be overturned, but having a prior agreement is always good to have
> on your side in court.
>
> There would have to be gross negligence on a company's part to
> have the prior legal agreement ignored.
>
> I think everyone in our discussion is right, to a point.
>
> And, btw, I have no connection to Zillow.com.  I just happened to
> be on that site when the question about liability came up.
>
> I will say that if I ever do get sued because passwords and usernames
> were stolen from my company and I lost a case because someone's bank
> account was drained because it used the same password and username,
> I would absolutely start forcing my passwords on everyone.
>
> To this point, I've had no problem.  And we all try to balance
> user-friendliness and security.  But someone is always being bitten.
> Everyone is just playing a game of Russian Roulette and hoping we're
> not the one facing a round in the chamber.
>
> Rick
>
> > -Original Message-
> > From: Claude Schneegans [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 25, 2008 1:36 PM
> > To: CF-Talk
> > Subject: Re: SSL Necessary? Important?
> >
> >  >>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR
> > ANY DAMAGES
> >
> > I'm sorry, but just from the very begining, this statement has
> > absolutely no value.
> > I hope you didn't pay a lawyer to write it.
> >
> > Nobody can state, in advance on not that "he is not liable or responsible".
> > ONLY a judge in court can make this decision, only based on facts.
> > If you have been careless in an issue, EVEN if you warned the plaintiff that
> > you are not liable, the judge can decide that you are responsible.
> >
> > The only utility of such notice is may be 1. to make unaware customers
> > believe they can't go to court,
> > 2. to make them do their part about security.
> >
>
>
>
>
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297497
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

My only point about Zillow.com's terms holds them unaccountable for any
problems you experiences from using their site.  They state:

>(A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR
>(D) ANY OTHER CAUSE OF ACTION

Sounds to me like, whether it's because of a weak password or whatever,
they can't be held liable.  And in the final clause, they simply state
that if you don't like those terms, don't use the service.

Those terms sound fine to me.  Even if I have no security for people's
password, personal info, etc., sounds to me like the terms above protects
me under any circumstance, including (C), negligence.


Now concerning Sharebuilder.com's position:

First, your link was a PR departments "friendly-face", "warm-and-fuzzy"
explanation of how they'll take care of you and provide you with security.

However, the legal departments position, and the only one that counts is:

http://www.sharebuilder.com/sharebuilder/Legal/Default.aspx, particularly
in our discussion, point 27:

27) Security and Confidentiality
You agree that you will be fully responsible for the confidentiality of your 
user name and password.
You further agree that you will be fully and solely responsible for all 
activities, including
brokerage transactions, that arise from the use of your user name and password. 
You will immediately
notify us in writing or by e-mail of any loss, theft or unauthorized use of 
your user name, password
and/or account number(s).

So, their "bottom line" is that you're responsible for "all activities", 
brokerage or otherwise,
"that arise from the use of your user name and password."

So, again, they positioned themselves so that only the client is at risk
if somebody finds out about their user name and password and abuses it.


At least that's my take...

Rick



> -Original Message-----
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 12:52 PM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> I'm not sure how Zillow.com's terms supports your "My strong password or
> else" argument (which is what I thought this was) as all you did was show me
> their terms of use.
> 
> Now try to find one one here -
> http://www.sharebuilder.com/sharebuilder/Security/Default.aspx
> 
> I can choose any password I want there.  I'm sure that Sharebuilder probably
> has real time monitoring going on and Zillow doesn't.  Is that what the
> difference between the terms are?  Real time "we got your back security"
> versus some real estate website listing properties?  *shrugs* No idea.
> 
> On Jan 25, 2008 12:02 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> 
> > Here's some of the "Terms" for use of Zillow.com... a Real Estate listing
> > website.
> >
> > 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR
> > ANY SUPPLIER BE LIABLE FOR
> > ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL,
> > SPECIAL, INCIDENTAL, OR
> > PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS
> > OF USE OR YOUR USE OF THE
> > SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> > DAMAGES. THE EXCLUSION OF
> > DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND
> > SURVIVES IN THE EVENT SUCH
> > REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED
> > UNENFORCEABLE. THESE LIMITATIONS AND
> > EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A)
> > BREACH OF CONTRACT, (B) BREACH
> > OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE
> > EXTENT SUCH EXCLUSION AND
> > LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH
> > ANY PART OF THESE TERMS
> > OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS
> > SUPPLIERS WITH RESPECT TO THESE
> > TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO
> > DISCONTINUE USING THE
> > SERVICES.
> >
> > Now that pretty iron-clad legally, I think, that no matter what you do,
> > password or other-wise, they're not going to pay for it. Quite
> > "bottom-line", "my way or the highway", especially that last clause...




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297476
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

I agree to a point, Claude... you're right that anything can
be overturned, but having a prior agreement is always good to have
on your side in court.

There would have to be gross negligence on a company's part to
have the prior legal agreement ignored.

I think everyone in our discussion is right, to a point.

And, btw, I have no connection to Zillow.com.  I just happened to
be on that site when the question about liability came up.

I will say that if I ever do get sued because passwords and usernames
were stolen from my company and I lost a case because someone's bank
account was drained because it used the same password and username,
I would absolutely start forcing my passwords on everyone.

To this point, I've had no problem.  And we all try to balance
user-friendliness and security.  But someone is always being bitten.
Everyone is just playing a game of Russian Roulette and hoping we're
not the one facing a round in the chamber.

Rick

> -Original Message-
> From: Claude Schneegans [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 1:36 PM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
>  >>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR
> ANY DAMAGES
> 
> I'm sorry, but just from the very begining, this statement has
> absolutely no value.
> I hope you didn't pay a lawyer to write it.
> 
> Nobody can state, in advance on not that "he is not liable or responsible".
> ONLY a judge in court can make this decision, only based on facts.
> If you have been careless in an issue, EVEN if you warned the plaintiff that
> you are not liable, the judge can decide that you are responsible.
> 
> The only utility of such notice is may be 1. to make unaware customers
> believe they can't go to court,
> 2. to make them do their part about security.
> 




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297475
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dave Watts]

> Here's some of the "Terms" for use of Zillow.com... a Real 
> Estate listing website.
> 
> 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL 
> ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES ...
> 
> Now that pretty iron-clad legally, I think, that no matter 
> what you do, password or other-wise, they're not going to pay 
> for it. Quite "bottom-line", "my way or the highway", 
> especially that last clause...

They can write whatever they want. That doesn't make it legally binding. If
I recall correctly, you generally cannot limit liability in cases of
negligence.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297464
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Claude Schneegans]

 >>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR
ANY DAMAGES

I'm sorry, but just from the very begining, this statement has 
absolutely no value.
I hope you didn't pay a lawyer to write it.

Nobody can state, in advance on not that "he is not liable or responsible".
ONLY a judge in court can make this decision, only based on facts.
If you have been careless in an issue, EVEN if you warned the plaintiff that
you are not liable, the judge can decide that you are responsible.

The only utility of such notice is may be 1. to make unaware customers 
believe they can't go to court,
2. to make them do their part about security.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297448
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Todd]

I'm not sure how Zillow.com's terms supports your "My strong password or
else" argument (which is what I thought this was) as all you did was show me
their terms of use.

Now try to find one one here -
http://www.sharebuilder.com/sharebuilder/Security/Default.aspx

I can choose any password I want there.  I'm sure that Sharebuilder probably
has real time monitoring going on and Zillow doesn't.  Is that what the
difference between the terms are?  Real time "we got your back security"
versus some real estate website listing properties?  *shrugs* No idea.

On Jan 25, 2008 12:02 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote:

> Here's some of the "Terms" for use of Zillow.com... a Real Estate listing
> website.
>
> 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR
> ANY SUPPLIER BE LIABLE FOR
> ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL,
> SPECIAL, INCIDENTAL, OR
> PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS
> OF USE OR YOUR USE OF THE
> SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. THE EXCLUSION OF
> DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND
> SURVIVES IN THE EVENT SUCH
> REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED
> UNENFORCEABLE. THESE LIMITATIONS AND
> EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A)
> BREACH OF CONTRACT, (B) BREACH
> OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE
> EXTENT SUCH EXCLUSION AND
> LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH
> ANY PART OF THESE TERMS
> OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS
> SUPPLIERS WITH RESPECT TO THESE
> TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO
> DISCONTINUE USING THE
> SERVICES.
>
> Now that pretty iron-clad legally, I think, that no matter what you do,
> password or other-wise, they're not going to pay for it. Quite
> "bottom-line", "my way or the highway", especially that last clause...
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297447
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Dave Watts]

> Anyway, the problem with strong passwords is they're not 
> easily, if at all, memorable.

That doesn't have to be true:
http://en.wikipedia.org/wiki/Passphrase

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297445
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Todd]

I can assure you that I'm not your wife and there are some areas where I'm
very cut to the chase and other areas where I have learned to be more
flexible I guess. :)

On Jan 25, 2008 11:40 AM, Rick Faircloth wrote:

> You sound like my wife who's always telling me to be more civil and stop
> that "my way or the highway" kind of talk when I discuss issues.  It's not
> that it's my way or the highway, I just tend to "cut to the chase" in
> getting
> to the bottom line and not phrasing my position very "diplomatically."
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297444
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Rick Faircloth]

Here's some of the "Terms" for use of Zillow.com... a Real Estate listing
website.

9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY 
SUPPLIER BE LIABLE FOR
ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, SPECIAL, 
INCIDENTAL, OR
PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS OF USE 
OR YOUR USE OF THE
SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. THE EXCLUSION OF
DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND 
SURVIVES IN THE EVENT SUCH
REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED UNENFORCEABLE. 
THESE LIMITATIONS AND
EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) BREACH OF 
CONTRACT, (B) BREACH
OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE EXTENT 
SUCH EXCLUSION AND
LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH ANY 
PART OF THESE TERMS
OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS SUPPLIERS 
WITH RESPECT TO THESE
TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO 
DISCONTINUE USING THE
SERVICES.

Now that pretty iron-clad legally, I think, that no matter what you do,
password or other-wise, they're not going to pay for it. Quite
"bottom-line", "my way or the highway", especially that last clause...



> -Original Message-
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 11:04 AM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> Rick,
> 
> I get it.  I do.  What I'm suggesting is instead of cramming down a password
> down the throat to use clearly written english description of what a STRONG
> password would be and to use validation to determine what's a strong / weak
> passwords.  There's plenty of javascript / serverside validation methods for
> doing this, it doesn't take that long to write a custom one.  I wrote a
> custom one that I thought was pretty good until I came across a password
> issue that I had to debug and during that time, I realized that the client
> was using their email address as a password so I beefed up my validation
> even more and wrote another bullet of you can't use (first name, last name,
> email address, phone number, etc).
> 
> People do the damndest things and they don't think about their own security
> sometimes, but I would still rather write the rules up and enforce those
> rules than say "my way or the highway."  When I come across issues like
> that, I have a 2 simple little actions in my admin 1.) Force new password
> upon next login or 2.) Send new random strong password now and make them
> change it upon next login.
> 
> I want them to be educated and use a strong password that they're going to
> remember and they're not going to write it down on a slip of paper because I
> won't let them change it otherwise.  Anyway, we'll just agree to disagree.
> It's ok.  Two very valid opinions.
> 
> ~Todd
> 
> On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> 
> > I don't see anywhere in those terms that a lawyer could *without a doubt*
> > use to hold Google harmless if Google's servers were hacked (their fault)
> > and a client's login info stolen and used to access a bank account.
> >
> > I think a jury would see Google as liable for their failed security.
> > But I'm no lawyer...
> >
> > I do however, begin to get concerned when clients want their personal data
> > "secured" that a weak password could come back to bite them and me as
> > well.
> > The weak password, it would seem to me, would have to be the result of a
> > user's sole choice, bypassing all guidance and cautions that I provide,
> > including
> > a strong password option.
> >
> > It is an interesting discussion.  As my clients become more widespread and
> > less
> > "personal", the chance of lawsuits increases.
> >
> > Just want to protect my "assets"...
> >
> > Rick
> >
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297439
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Rick Faircloth]

You sound like my wife who's always telling me to be more civil and stop
that "my way or the highway" kind of talk when I discuss issues.  It's not
that it's my way or the highway, I just tend to "cut to the chase" in getting
to the bottom line and not phrasing my position very "diplomatically."

Besides, I've only had half a cup of coffee this morning at this point.  :o| 
(Aaarf!)

Anyway, the problem with strong passwords is they're not easily, if at all,
memorable.  I'd rather a user have strong passwords, different ones for every
instance where they need one, and write them down (preferably not on a 
post-it-note
on the screen ;o) where they can access them, than to try to remember all the
passwords they use, which can literally be hundreds, these days.

The biggest danger is not when someone robs their home (don't put the bank 
account
passwords on paper), but hackers gaining access via email snooping, intercepting
data flow, or breaking into companies that maintain confidential data.

At least if someone breaks into my home, I know that my passwords are 
compromised.
If they just get the info from an online account, I wouldn't have a clue for 
awhile.

Rick

> -Original Message-
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 11:04 AM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> Rick,
> 
> I get it.  I do.  What I'm suggesting is instead of cramming down a password
> down the throat to use clearly written english description of what a STRONG
> password would be and to use validation to determine what's a strong / weak
> passwords.  There's plenty of javascript / serverside validation methods for
> doing this, it doesn't take that long to write a custom one.  I wrote a
> custom one that I thought was pretty good until I came across a password
> issue that I had to debug and during that time, I realized that the client
> was using their email address as a password so I beefed up my validation
> even more and wrote another bullet of you can't use (first name, last name,
> email address, phone number, etc).
> 
> People do the damndest things and they don't think about their own security
> sometimes, but I would still rather write the rules up and enforce those
> rules than say "my way or the highway."  When I come across issues like
> that, I have a 2 simple little actions in my admin 1.) Force new password
> upon next login or 2.) Send new random strong password now and make them
> change it upon next login.
> 
> I want them to be educated and use a strong password that they're going to
> remember and they're not going to write it down on a slip of paper because I
> won't let them change it otherwise.  Anyway, we'll just agree to disagree.
> It's ok.  Two very valid opinions.
> 
> ~Todd
> 
> On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> 
> > I don't see anywhere in those terms that a lawyer could *without a doubt*
> > use to hold Google harmless if Google's servers were hacked (their fault)
> > and a client's login info stolen and used to access a bank account.
> >
> > I think a jury would see Google as liable for their failed security.
> > But I'm no lawyer...
> >
> > I do however, begin to get concerned when clients want their personal data
> > "secured" that a weak password could come back to bite them and me as
> > well.
> > The weak password, it would seem to me, would have to be the result of a
> > user's sole choice, bypassing all guidance and cautions that I provide,
> > including
> > a strong password option.
> >
> > It is an interesting discussion.  As my clients become more widespread and
> > less
> > "personal", the chance of lawsuits increases.
> >
> > Just want to protect my "assets"...
> >
> > Rick
> >
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297437
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Todd]

Rick,

I get it.  I do.  What I'm suggesting is instead of cramming down a password
down the throat to use clearly written english description of what a STRONG
password would be and to use validation to determine what's a strong / weak
passwords.  There's plenty of javascript / serverside validation methods for
doing this, it doesn't take that long to write a custom one.  I wrote a
custom one that I thought was pretty good until I came across a password
issue that I had to debug and during that time, I realized that the client
was using their email address as a password so I beefed up my validation
even more and wrote another bullet of you can't use (first name, last name,
email address, phone number, etc).

People do the damndest things and they don't think about their own security
sometimes, but I would still rather write the rules up and enforce those
rules than say "my way or the highway."  When I come across issues like
that, I have a 2 simple little actions in my admin 1.) Force new password
upon next login or 2.) Send new random strong password now and make them
change it upon next login.

I want them to be educated and use a strong password that they're going to
remember and they're not going to write it down on a slip of paper because I
won't let them change it otherwise.  Anyway, we'll just agree to disagree.
It's ok.  Two very valid opinions.

~Todd

On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:

> I don't see anywhere in those terms that a lawyer could *without a doubt*
> use to hold Google harmless if Google's servers were hacked (their fault)
> and a client's login info stolen and used to access a bank account.
>
> I think a jury would see Google as liable for their failed security.
> But I'm no lawyer...
>
> I do however, begin to get concerned when clients want their personal data
> "secured" that a weak password could come back to bite them and me as
> well.
> The weak password, it would seem to me, would have to be the result of a
> user's sole choice, bypassing all guidance and cautions that I provide,
> including
> a strong password option.
>
> It is an interesting discussion.  As my clients become more widespread and
> less
> "personal", the chance of lawsuits increases.
>
> Just want to protect my "assets"...
>
> Rick
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297427
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

I don't see anywhere in those terms that a lawyer could *without a doubt*
use to hold Google harmless if Google's servers were hacked (their fault)
and a client's login info stolen and used to access a bank account.

I think a jury would see Google as liable for their failed security.
But I'm no lawyer...

I do however, begin to get concerned when clients want their personal data
"secured" that a weak password could come back to bite them and me as well.
The weak password, it would seem to me, would have to be the result of a
user's sole choice, bypassing all guidance and cautions that I provide, 
including
a strong password option.

It is an interesting discussion.  As my clients become more widespread and less
"personal", the chance of lawsuits increases.

Just want to protect my "assets"...

Rick

> -Original Message-
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 9:35 AM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> Would you consider gmail to be pretty important if you used it daily like I
> do?  Let's take a look at what Google says in their EULA:
> 
> =
> 6. Your passwords and account security
> 
> 6.1 You agree and understand that you are responsible for maintaining the
> confidentiality of passwords associated with any account you use to access
> the Services.
> 
> 6.2 Accordingly, you agree that you will be solely responsible to Google for
> all activities that occur under your account.
> 
> 6.3 If you become aware of any unauthorized use of your password or of your
> account, you agree to notify Google immediately at [snipped URL].
> =
> 
> I don't remember that gmail had very strict password rules.  Yet their
> legalese basically negates the need since they pretty much label you
> responsible for everything that happens under your account.  If my bank gets
> hacked because I use my same username / password as my gmail and it was
> obtained via gmail somehow, does that legalese mean Google is in the clear?
> 
> ~Todd
> 
> On Jan 25, 2008 9:17 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> 
> > Well, I was just kinda "giving the bottom line".  Of course, in the real
> > world, a much "kinder, gentler" way of saying it would be appropriate.
> >
> > I can also compromise by letting you choose your password, but stipulate
> > that it require one or more of certain characters, a mix of caps and lower
> > case, etc.,
> > or I can allow you to choose your own password without any stipulations,
> > but you have to sign a waiver holding me harmless.
> >
> > I don't see that as unreasonable.  You get to decide how to handle your
> > password, if you like, but you just can't blame me in the case of a poor
> > choice which leads to your ruin.  I'm not going down with you...
> >
> > I think that's fair.
> >
> > I'll be most EUA's have something like that buried in their "legalize".
> >
> > Thoughts?
> >
> > Rick
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297424
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Todd]

Would you consider gmail to be pretty important if you used it daily like I
do?  Let's take a look at what Google says in their EULA:

=
6. Your passwords and account security

6.1 You agree and understand that you are responsible for maintaining the
confidentiality of passwords associated with any account you use to access
the Services.

6.2 Accordingly, you agree that you will be solely responsible to Google for
all activities that occur under your account.

6.3 If you become aware of any unauthorized use of your password or of your
account, you agree to notify Google immediately at [snipped URL].
=

I don't remember that gmail had very strict password rules.  Yet their
legalese basically negates the need since they pretty much label you
responsible for everything that happens under your account.  If my bank gets
hacked because I use my same username / password as my gmail and it was
obtained via gmail somehow, does that legalese mean Google is in the clear?

~Todd

On Jan 25, 2008 9:17 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:

> Well, I was just kinda "giving the bottom line".  Of course, in the real
> world, a much "kinder, gentler" way of saying it would be appropriate.
>
> I can also compromise by letting you choose your password, but stipulate
> that it require one or more of certain characters, a mix of caps and lower
> case, etc.,
> or I can allow you to choose your own password without any stipulations,
> but you have to sign a waiver holding me harmless.
>
> I don't see that as unreasonable.  You get to decide how to handle your
> password, if you like, but you just can't blame me in the case of a poor
> choice which leads to your ruin.  I'm not going down with you...
>
> I think that's fair.
>
> I'll be most EUA's have something like that buried in their "legalize".
>
> Thoughts?
>
> Rick


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297417
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Rick Faircloth]

Well, I was just kinda "giving the bottom line".  Of course, in the real
world, a much "kinder, gentler" way of saying it would be appropriate.

I can also compromise by letting you choose your password, but stipulate
that it require one or more of certain characters, a mix of caps and lower 
case, etc.,
or I can allow you to choose your own password without any stipulations,
but you have to sign a waiver holding me harmless.

I don't see that as unreasonable.  You get to decide how to handle your
password, if you like, but you just can't blame me in the case of a poor
choice which leads to your ruin.  I'm not going down with you...

I think that's fair.

I'll be most EUA's have something like that buried in their "legalize".

Thoughts?

Rick

> -Original Message-
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 8:51 AM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> Rick, is it really not possible to compromise?  It's one thing to enforce
> and shove a password down my throat... it's something else to educate the
> end-user on what a "strong" password is.
> 
> On Jan 25, 2008 8:46 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> 
> > No problem... if you won't let me choose your password to make sure
> > you and I are both protected, then you have to agree not to hold me
> > accountable for any problems that occur as a result of your weak
> > password.  Accept a strong password, or sign a waiver... simple.
> >
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297415
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Todd]

Rick, is it really not possible to compromise?  It's one thing to enforce
and shove a password down my throat... it's something else to educate the
end-user on what a "strong" password is.

On Jan 25, 2008 8:46 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote:

> No problem... if you won't let me choose your password to make sure
> you and I are both protected, then you have to agree not to hold me
> accountable for any problems that occur as a result of your weak
> password.  Accept a strong password, or sign a waiver... simple.
>


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297413
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

No problem... if you won't let me choose your password to make sure
you and I are both protected, then you have to agree not to hold me
accountable for any problems that occur as a result of your weak
password.  Accept a strong password, or sign a waiver... simple.

> -Original Message-
> From: Rick Root [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 25, 2008 8:20 AM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> > One solution that I have used is to allow users to choose their username,
> > usually just their email address, but I force a very strong password
> > on them generated with CF.
> 
> Nothing annoys me more, personally, than a web site that won't let me
> choose my own password.  Such sites are rare, thank god.
> 
> But second on the list of annoying password things is password rules
> that don't make sense to me or seem random. One bank says your
> password cannot end in a number.  Another says you have to have two
> numbers.
> 
> Then you get the sites that don't LET you use special characters.
> That *REALLY* annoys me.  Nothing worse than a web site that forces
> you to lower your password strength to fit their rules.
> 
> And finally, I deal with one company that forces your password to all
> lower case.  PSNC Energy does that.  Incredibly lame.
> 
> --
> Rick Root
> New Brian Vander Ark Album, songs in the music player and cool behind
> the scenes video at www.myspace.com/brianvanderark
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297412
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Rick Root]

On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote:
> One solution that I have used is to allow users to choose their username,
> usually just their email address, but I force a very strong password
> on them generated with CF.

Nothing annoys me more, personally, than a web site that won't let me
choose my own password.  Such sites are rare, thank god.

But second on the list of annoying password things is password rules
that don't make sense to me or seem random. One bank says your
password cannot end in a number.  Another says you have to have two
numbers.

Then you get the sites that don't LET you use special characters.
That *REALLY* annoys me.  Nothing worse than a web site that forces
you to lower your password strength to fit their rules.

And finally, I deal with one company that forces your password to all
lower case.  PSNC Energy does that.  Incredibly lame.

-- 
Rick Root
New Brian Vander Ark Album, songs in the music player and cool behind
the scenes video at www.myspace.com/brianvanderark

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297411
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dave Watts]

> Is the SSL encryption overkill for something like this?  Or 
> would it be advisable?  How big a security risk is there for 
> personal info like this?

The security risk is probably acceptable for your client, even if they don't
know that. However, it's so cheap to use SSL that you might as well do that
instead.

> Is it easy to hack without SSL?

SSL/TLS prevents third parties from being able to read traffic between the
two endpoints of an encrypted conversation - the browser and the server. It
doesn't prevent the client from hacking anything, and that may be a more
serious concern. It is very easy to read plaintext data if you're on the
same network segment as an unencrypted conversation. If you go down to your
local coffee shop and use the free wifi, you can easily read data from other
users who aren't using SSL/TLS or tunnelling all their traffic through a VPN
or SSH connection. For example, I give you the wall of sheep:

http://blog.makezine.com/archive/2005/07/_defcon_the_wal.html

But, to see this data, you have to be on the same network segment, which
limits the scope of any surveillance quite a bit.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297382
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Rick Root]

On 1/24/08, Dawson, Michael <[EMAIL PROTECTED]> wrote:
> It doesn't matter whose responsibility it is.  If a bank account gets
> hacked because of the church's web site, it will hurt the credibility of
> the church.

Yeah but God will protect them from that.

Damn, now I'm going to hell.

-- 
Rick Root
New Brian Vander Ark Album, songs in the music player and cool behind
the scenes video at www.myspace.com/brianvanderark

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297362
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Claude Schneegans]

 >>In a world of paranoia, SSL is *NEVER* overkill for protecting logins
of any kind.

 provided you assume paranoia...

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297363
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

One solution that I have used is to allow users to choose their username,
usually just their email address, but I force a very strong password
on them generated with CF.  I can control the parameters of the password
and what characters are used as well as what length it is.  They may not
like it, but it's for their protection and mine.  And if they forget that
password, the system simply issues another equally strong one.

Rick

> -Original Message-
> From: Todd [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 24, 2008 2:58 PM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> o_O
> 
> Mike, if your bank account gets hacked dude because YOU used the same
> username/password for every site the only person to blame here is YOU.  I'm
> sorry, but this thinking is just way backwards.  Should the church also be
> responsible if someone stole your ATM card and the PIN number just happened
> to be the same as your password?!  YOU made the mistake, not the church.
> 
> I'm *in agreement *that account identity information needs to be encrypted
> in the database.
> 
> On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote:
> 
> > It doesn't matter whose responsibility it is.  If a bank account gets
> > hacked because of the church's web site, it will hurt the credibility of
> > the church.
> >
> > M!ke
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297356
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Todd]

Yeah, I will agree with that.  I'm two minds of this apparently.  It's one
thing if a simple forum has my username/password stolen, quite something
different if my SSN was stolen.

My co-worker gave the argument that if a username/password can be traced
back to you and additional information can be gleamed and they can figure
out your bank and manage to log in because your username/password was the
same, then it's the original site that lost the data fault.  My counterpoint
was, If I let you borrow my car and I happened to give you my entire keyring
instead of just giving you the keys to the car, was it your fault or mine
when you got mugged and the keys (password) were taken from you (by a
hacker) my car (data) got stolen and oh, by the way, now my house ( the bank
) got robbed?  In my opinion, We were both at fault there.  I stupidly gave
you my entire keyring and you lost it/got mugged/whatever.

I do understand what you are saying.  I agree that personal identifying
information needs to be encrypted and secured.  SSL (or TSL or whatever the
hell you want to call it now) is an extra layer.  Does SSL belong on a
simple forum?  Not sure.  Does it belong on a site that is doing any kind of
transactions?  Certainly.

I think adding a robust privacy policies and terms of agreements are a good
thing as well.  Ensuring the end user that the data is encrypted and laying
down exactly what you're responsible for.  It's one thing for data to be
compromised on your website, something entirely different when the end user
didn't secure themselves by using the same username/password and now their
bank got cleaned out.

Maybe we all take information for granted for how freely its flowing out
there?  I may have to rethink all this... I have no idea anymore.  I argued
myself into a circle. ;)

On Jan 24, 2008 3:57 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote:

> You are missing my point. I'm not saying a person is not responsible for
> their own credentials, however, you know how the media is.
>
> My original point was that it is too inexpensive NOT to secure the
> information.  Especially, to protect dummy people from themselves.  I
> care about the other guy even if the other guy gots not smarts.
>
> M!ke


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297359
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dawson, Michael]

You are missing my point. I'm not saying a person is not responsible for
their own credentials, however, you know how the media is.

My original point was that it is too inexpensive NOT to secure the
information.  Especially, to protect dummy people from themselves.  I
care about the other guy even if the other guy gots not smarts.

M!ke 

-Original Message-
From: Todd [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 24, 2008 1:58 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?

o_O

Mike, if your bank account gets hacked dude because YOU used the same
username/password for every site the only person to blame here is YOU.
I'm sorry, but this thinking is just way backwards.  Should the church
also be responsible if someone stole your ATM card and the PIN number
just happened to be the same as your password?!  YOU made the mistake,
not the church.

I'm *in agreement *that account identity information needs to be
encrypted in the database.

On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote:

> It doesn't matter whose responsibility it is.  If a bank account gets 
> hacked because of the church's web site, it will hurt the credibility 
> of the church.
>
> M!ke

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297349
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dawson, Michael]

It doesn't matter whose responsibility it is.  If a bank account gets
hacked because of the church's web site, it will hurt the credibility of
the church.

M!ke 

-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 24, 2008 10:21 AM
To: CF-Talk
Subject: Re: SSL Necessary? Important?


 >>Then, I sign up for your church's web site and use the same username
and password combination.  Now, if someone sniffs that unsecured
connection, they now have my bank username and password.

Ok, but it is not the church responsibility to protect you bank username
and password.
It's your problem.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297335
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Rick Root]

On 1/24/08, Todd <[EMAIL PROTECTED]> wrote:
> While I agree that account identifying information should be encrypted in
> the database, I don't agree that the church is responsible for the end
> user's stupidity of using the same username/password for every website out
> there.

I would agree, I use special passwords for any of my accounts that
involve credit cards, banks, etc  I also use special passwords for
my email accounts.

then I don't worry about an unscrupulous web site manager running a
church web site using the password I give the site for anything
important.


In a world of paranoia, SSL is *NEVER* overkill for protecting logins
of any kind.  But sometimes, it's easy to decide that it's not worth
the $25/year - though that's really a small price to pay).

-- 
Rick Root
New Brian Vander Ark Album, songs in the music player and cool behind
the scenes video at www.myspace.com/brianvanderark

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297341
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Todd]

o_O

Mike, if your bank account gets hacked dude because YOU used the same
username/password for every site the only person to blame here is YOU.  I'm
sorry, but this thinking is just way backwards.  Should the church also be
responsible if someone stole your ATM card and the PIN number just happened
to be the same as your password?!  YOU made the mistake, not the church.

I'm *in agreement *that account identity information needs to be encrypted
in the database.

On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote:

> It doesn't matter whose responsibility it is.  If a bank account gets
> hacked because of the church's web site, it will hurt the credibility of
> the church.
>
> M!ke


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297345
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dawson, Michael]

>While I agree that account identifying information should be encrypted
in the database, I don't agree that the church is responsible for the
end user's stupidity of using the same username/password for every
website out there.

I agree, but tell this to all of the non-techies out there.  We run
across tons of secretaries who use their work user name for their
personal web sites.  They just don't quite understand the separation
between web sites.

M!ke

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297342
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Rick Faircloth]

Very true... thanks, Michael.

Rick

> -Original Message-
> From: Dawson, Michael [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 24, 2008 9:58 AM
> To: CF-Talk
> Subject: RE: SSL Necessary? Important?
> 
> I don't think SSL is always necessary.  It depends on the content.
> 
> However, it is pretty common that many people use the same username and
> password for many different systems.
> 
> For example, I may log in to my bank's web site using "michael" and
> "password".  The bank's web site is secure so I no worry.
> 
> Then, I sign up for your church's web site and use the same username and
> password combination.  Now, if someone sniffs that unsecured connection,
> they now have my bank username and password.
> 
> So, although it's not necessary, in all cases, you are helping to
> protect information, indirectly.
> 
> Certificates are pretty inexpensive considering the cost of the loss of
> trust from users.
> 
> M!ke




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297326
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Todd]

On Jan 24, 2008 9:57 AM, Dawson, Michael <[EMAIL PROTECTED]> wrote:

> For example, I may log in to my bank's web site using "michael" and
> "password".  The bank's web site is secure so I no worry.
>
> Then, I sign up for your church's web site and use the same username and
> password combination.  Now, if someone sniffs that unsecured connection,
> they now have my bank username and password.
>
>
While I agree that account identifying information should be encrypted in
the database, I don't agree that the church is responsible for the end
user's stupidity of using the same username/password for every website out
there.

SSL for a church forum/cms login is overkill unless said church is accepting
donations on the website.  If they are, then they should be just as secured
as any other merchant online.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297329
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Claude Schneegans]

 >>Then, I sign up for your church's web site and use the same username and
password combination.  Now, if someone sniffs that unsecured connection,
they now have my bank username and password.

Ok, but it is not the church responsibility to protect you bank username 
and password.
It's your problem.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297316
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Necessary? Important?

[Dawson, Michael]

I don't think SSL is always necessary.  It depends on the content.

However, it is pretty common that many people use the same username and
password for many different systems.

For example, I may log in to my bank's web site using "michael" and
"password".  The bank's web site is secure so I no worry.

Then, I sign up for your church's web site and use the same username and
password combination.  Now, if someone sniffs that unsecured connection,
they now have my bank username and password.

So, although it's not necessary, in all cases, you are helping to
protect information, indirectly.

Certificates are pretty inexpensive considering the cost of the loss of
trust from users.

M!ke

-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 23, 2008 7:45 PM
To: CF-Talk
Subject: OT: SSL Necessary? Important?

Hi, all.

Pardon a quick OT question (or two).  I have a client (church) that
wants to have a directory that is accessible to the membership, but not
the general public.  Access will be controlled by password/username
login.

But the church is also asking about an encrypted connection using an SSL
certificate.

Is the SSL encryption overkill for something like this?  Or would it be
advisable?  How big a security risk is there for personal info like
this?
Is it easy to hack without SSL?

Thanks for any feedback.

Rick

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297297
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Will Tomlinson]

Rick,

Don't believe anything dave says. He's just disrupting again. 

Anyway, do *I* look like I would make fun of you?   :)

Will 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297254
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Necessary? Important?

[Rick Faircloth]

> sla 256 hashing

I know I'm generally behind the times, so I thought maybe
that was some new encryption technology.  ;o)

> Will is trying to make fun of u (yes again)

I feel honored to garner such attention from Will... however,
I didn't see a message from him.  Maybe it'll come in soon.
Wouldn't want to miss it, you know!


> -Original Message-
> From: Dave l [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 23, 2008 8:54 PM
> To: CF-Talk
> Subject: Re: SSL Necessary? Important?
> 
> umm sha i meant
> 
> > Will is trying to make fun of u (yes again) but the way I look at it
> > at least you have more than 1 client, he can't say that :)
> >
> > You can use ssl on there with no big deal.
> > If you aren't encrypting your passwords then sure it could be a big
> > deal if someone gets ahold of their username and password and it
> > happens to also unlock.. say their bank account which the people find.
> >
> >
> > generally a good sla 256 hashing is good but if they ask you for ssl
> > then give then ssl to cover your arse.
> >
> >
> >
> > >Hi, all.
> > >
> > >Pardon a quick OT question (or two).  I have a client (church) that
> > wants
> > >to have a directory that is accessible to the membership, but not
> > the
> > >general public.  Access will be controlled by password/username login.
> >
> > >
> > >But the church is also asking about an encrypted connection using an
> > SSL
> > >certificate.
> > >
> > >Is the SSL encryption overkill for something like this?  Or would it
> > be
> > >advisable?  How big a security risk is there for personal info like
> > this?
> > >Is it easy to hack without SSL?
> > >
> > >Thanks for any feedback.
> > >
> > >Rick
> 
> 
> 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297260
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Dave l]

lol, so prove me wrong!!! 
captain lady killer ;)~


>Rick,
>
>Don't believe anything dave says. He's just disrupting again. 
>
>Anyway, do *I* look like I would make fun of you?   :)
>
>Will 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297255
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Necessary? Important?

[Dave l]

Will is trying to make fun of u (yes again) but the way I look at it at least 
you have more than 1 client, he can't say that :)

You can use ssl on there with no big deal.
If you aren't encrypting your passwords then sure it could be a big deal if 
someone gets ahold of their username and password and it happens to also 
unlock.. say their bank account which the people find.

generally a good sla 256 hashing is good but if they ask you for ssl then give 
then ssl to cover your arse.



>Hi, all.
>
>Pardon a quick OT question (or two).  I have a client (church) that wants
>to have a directory that is accessible to the membership, but not the
>general public.  Access will be controlled by password/username login.
>
>But the church is also asking about an encrypted connection using an SSL
>certificate.
>
>Is the SSL encryption overkill for something like this?  Or would it be
>advisable?  How big a security risk is there for personal info like this?
>Is it easy to hack without SSL?
>
>Thanks for any feedback.
>
>Rick 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297245
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Necessary? Important?

[Dave l]

umm sha i meant

> Will is trying to make fun of u (yes again) but the way I look at it 
> at least you have more than 1 client, he can't say that :)
> 
> You can use ssl on there with no big deal.
> If you aren't encrypting your passwords then sure it could be a big 
> deal if someone gets ahold of their username and password and it 
> happens to also unlock.. say their bank account which the people find.
> 
> 
> generally a good sla 256 hashing is good but if they ask you for ssl 
> then give then ssl to cover your arse.
> 
> 
> 
> >Hi, all.
> >
> >Pardon a quick OT question (or two).  I have a client (church) that 
> wants
> >to have a directory that is accessible to the membership, but not 
> the
> >general public.  Access will be controlled by password/username login.
> 
> >
> >But the church is also asking about an encrypted connection using an 
> SSL
> >certificate.
> >
> >Is the SSL encryption overkill for something like this?  Or would it 
> be
> >advisable?  How big a security risk is there for personal info like 
> this?
> >Is it easy to hack without SSL?
> >
> >Thanks for any feedback.
> >
> >Rick 


~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297246
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Installation

[Robertson-Ravo, Neil (RX)]

Disable port 80 listening :-)






"This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant,
Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business,
Registered in England, Number 678540.  It contains information which is
confidential and may also be privileged.  It is for the exclusive use of the
intended recipient(s).  If you are not the intended recipient(s) please note
that any form of distribution, copying or use of this communication or the
information in it is strictly prohibited and may be unlawful.  If you have
received this communication in error please return it to the sender or call
our switchboard on +44 (0) 20 89107910.  The opinions expressed within this
communication are not necessarily those expressed by Reed Exhibitions." 
Visit our website at http://www.reedexpo.com

-Original Message-
From: Robert Rawlins - Think Blue
To: CF-Talk
Sent: Thu Jun 21 22:25:53 2007
Subject: SSL Installation

Hello Guys,

 

I kind of feel a little silly asking this, but net admin never was my strong
point...

 

I've now installed my shiny new ssl certificate and it seems to work just
lovely, if I browse the https:// address then I get the little lock and all
that jazz, now, how do i button down the hatches so the https:// version is
the only version accessibly on my site? I'm running win2k3 and IIS6.

 

Thanks for any advice, a quick one would be really great, its 10.30pm and
I'm still in the office lol

 

Thanks,

 

Rob





~|
Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & 
Flex 2
Free Trial 
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281878
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Installation

[Marius Milosav]

Check the port. Something like this:

https://www.domain.com";> 


HTH
Marius Milosav 
ScorpioSoft Corp.
www.scorpiosoft.com

-Original Message-
From: Robert Rawlins - Think Blue
[mailto:[EMAIL PROTECTED] 
Sent: June 21, 2007 5:26 PM
To: CF-Talk
Subject: SSL Installation

Hello Guys,

 

I kind of feel a little silly asking this, but net admin never was my strong
point...

 

I've now installed my shiny new ssl certificate and it seems to work just
lovely, if I browse the https:// address then I get the little lock and all
that jazz, now, how do i button down the hatches so the https:// version is
the only version accessibly on my site? I'm running win2k3 and IIS6.

 

Thanks for any advice, a quick one would be really great, its 10.30pm and
I'm still in the office lol

 

Thanks,

 

Rob





~|
ColdFusion MX7 and Flex 2 
Build sales & marketing dashboard RIA’s for your business. Upgrade now
http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281877
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Installation

[Russ]

The proper way to do this is to use a rewrite rule with something like ISAPI
rewrite.  Another way to do this would be to configure another virtual site
on port 80 that redirects to https, and take port 80 off of this virtual
site.  

Russ

> -Original Message-
> From: Dave Watts [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 21, 2007 8:45 PM
> To: CF-Talk
> Subject: RE: SSL Installation
> 
> > I've now installed my shiny new ssl certificate and it seems
> > to work just lovely, if I browse the https:// address then I
> > get the little lock and all that jazz, now, how do i button
> > down the hatches so the https:// version is the only version
> > accessibly on my site? I'm running win2k3 and IIS6.
> 
> In IIS, you can configure your web site properties to require SSL. It's
> pretty easy to find in there. If you do this, visitors who attempt to
> connect with HTTP will receive an error from the web server.
> 
> Alternatively, you can look at the appropriate CGI variable in
> Application.cfm/cfc (CFDUMP will show you this) and use CFLOCATION if
> necessary. This will be comparatively seamless to the user.
> 
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> 
> Fig Leaf Software provides the highest caliber vendor-authorized
> instruction at our training centers in Washington DC, Atlanta,
> Chicago, Baltimore, Northern Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
> 
> This email has been processed by SmoothZap - www.smoothwall.net
> 
> 
> 

~|
Create Web Applications With ColdFusion MX7 & Flex 2. 
Build powerful, scalable RIAs. Free Trial
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281868
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Installation

[Dave Watts]

> I've now installed my shiny new ssl certificate and it seems 
> to work just lovely, if I browse the https:// address then I 
> get the little lock and all that jazz, now, how do i button 
> down the hatches so the https:// version is the only version 
> accessibly on my site? I'm running win2k3 and IIS6.

In IIS, you can configure your web site properties to require SSL. It's
pretty easy to find in there. If you do this, visitors who attempt to
connect with HTTP will receive an error from the web server.

Alternatively, you can look at the appropriate CGI variable in
Application.cfm/cfc (CFDUMP will show you this) and use CFLOCATION if
necessary. This will be comparatively seamless to the user.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

This email has been processed by SmoothZap - www.smoothwall.net


~|
Create Web Applications With ColdFusion MX7 & Flex 2. 
Build powerful, scalable RIAs. Free Trial
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281859
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL Installation

[J.J. Merrick]

This is off the top of my head but in CF you can do:


 https://blah.com";>


On 6/21/07, Robert Rawlins - Think Blue <[EMAIL PROTECTED]>
wrote:
>
> Hello Guys,
>
>
>
> I kind of feel a little silly asking this, but net admin never was my
> strong
> point...
>
>
>
> I've now installed my shiny new ssl certificate and it seems to work just
> lovely, if I browse the https:// address then I get the little lock and
> all
> that jazz, now, how do i button down the hatches so the https:// version
> is
> the only version accessibly on my site? I'm running win2k3 and IIS6.
>
>
>
> Thanks for any advice, a quick one would be really great, its 10.30pm and
> I'm still in the office lol
>
>
>
> Thanks,
>
>
>
> Rob
>
>
>
> 

~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281848
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Domain redirect without error message

[Russ]

> -Original Message-
> From: Dave Watts [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 17, 2007 7:49 PM
> To: CF-Talk
> Subject: RE: SSL Domain redirect without error message
> 
> > Either I'm doing something wrong or the only way to do it is
> > to get a wild card ssl certificate that covers both domains :
> > www.xyzdomain.com and xyzdomain.com <https://www.xyzdomain.com/>
> 
> You're not doing anything wrong, and that's exactly what you'll have to do
> if you want people to be able to use either host name.
> 

While I'm not sure if this is the correct solution, but I will defer to Dave
on this, I don't think you need a wild card SSL certificate.  Considering
the pricing I've seen, it's not worth it to get a wildcard certificate for
just two subdomains.  It would make sense to get a separate certificate for
each.  

Considering the pricing of the SSL certificates at GoDaddy or through my
site at X-Registrar.com/SSL ($20/yr for single certificate, $200/yr for
wildcard), it's a no-brainer to pick up an extra SSL certificate, if just to
make the warning go away.  

Russ


~|
ColdFusion MX7 by Adobe®
Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. 
Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275654
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Domain redirect without error message

[Dave Watts]

> Like always you are right.

I wish.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

This email has been processed by SmoothZap - www.smoothwall.net


~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275652
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[Victor Moore]

Thanks Dave,

Like always you are right. As per my previous email, I think it's working
the way it should and the certificate is given for certain domain and one
shouldn't be able to change it willy nilly. It will defeat the purpose

Thanks
Victor

On 4/17/07, Dave Watts <[EMAIL PROTECTED]> wrote:
>
> > Either I'm doing something wrong or the only way to do it is
> > to get a wild card ssl certificate that covers both domains :
> > www.xyzdomain.com and xyzdomain.com 
>
> You're not doing anything wrong, and that's exactly what you'll have to do
> if you want people to be able to use either host name.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
>
> Fig Leaf Software provides the highest caliber vendor-authorized
> instruction at our training centers in Washington DC, Atlanta,
> Chicago, Baltimore, Northern Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
>
> This email has been processed by SmoothZap - www.smoothwall.net
>
>
> 

~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275651
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: SSL Domain redirect without error message

[Dave Watts]

> Either I'm doing something wrong or the only way to do it is 
> to get a wild card ssl certificate that covers both domains : 
> www.xyzdomain.com and xyzdomain.com 

You're not doing anything wrong, and that's exactly what you'll have to do
if you want people to be able to use either host name.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

This email has been processed by SmoothZap - www.smoothwall.net


~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade & see new features.
http://www.adobe.com/products/coldfusion?sdid=RVJR

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275649
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL Domain redirect without error message

[Dave Watts]

> You would need to do this at the web server level. Are you 
> running Apache or IIS? If you're running Apache, I could give 
> you some code that would do this for you. ;) If you're 
> running IIS, Google for information on setting up a 301 redirect.
> 
> Because this redirection is done at the web server level (as 
> opposed to sending something to the client machine like a 
> CFLOCATION would do) I'm 95% sure that this will give you a 
> redirect without an error message. 
> The CFLOCATION (or javascript, or whatever) requires the web 
> server to send a response back to the client. This will 
> result in the SSL error which you're trying to avoid.

I don't think that would work, either. The client will check the server's
certificate for validity before any response is sent to the client; in fact,
before the HTTP request is actually made by the client. Only after the SSL
handshake is successful, does any actual request data get sent to the
server.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

This email has been processed by SmoothZap - www.smoothwall.net


~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275648
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[Victor Moore]

Hi Stephens,

I'm afraid this won't work either. Your SSL certificate is for
basketbasics.com domain.
if you type https://www.basketbasics.com you will get a browser notification
message and thinking about the purpose of a SSL certificate it makes sense.

Thanks

Victor

On 4/17/07, Stephens, Larry V <[EMAIL PROTECTED]> wrote:
>
> I have a certificate on my basketbasics.com account (in that name). I
> use a javascript redirect in the root that redirects either
> basketbasics.com or www.basketbasics.com and it works okay for me. (See
> below) I don't know if how the certificate is installed is a function of
> this or not.
>
> 

RE: SSL Domain redirect without error message

[Stephens, Larry V]

I have a certificate on my basketbasics.com account (in that name). I
use a javascript redirect in the root that redirects either
basketbasics.com or www.basketbasics.com and it works okay for me. (See
below) I don't know if how the certificate is installed is a function of
this or not.

Re: SSL Domain redirect without error message

[Jordan Michaels]

You would need to do this at the web server level. Are you running 
Apache or IIS? If you're running Apache, I could give you some code that 
would do this for you. ;) If you're running IIS, Google for information 
on setting up a 301 redirect.

Because this redirection is done at the web server level (as opposed to 
sending something to the client machine like a CFLOCATION would do) I'm 
95% sure that this will give you a redirect without an error message. 
The CFLOCATION (or javascript, or whatever) requires the web server to 
send a response back to the client. This will result in the SSL error 
which you're trying to avoid.

Hope this helps!

Warm regards,
Jordan Michaels
Vivio Technologies
http://www.viviotech.net/
BlueDragon Alliance Member
[EMAIL PROTECTED]


Victor Moore wrote:
> Hi,
> 
> I have the following scenario:
> site: https://www.xyzdomain.com has a valid SSL certificate
> if users type https://xyzdomain.com they get invalid
> cert error.
> 
> What is the best way to do a redirect (from https://xyzdomain.com  to
> https://www.xyzdomain.com  )  without getting an
> error.
> One possible solution (I think) is to have  a redirect file (basically a js
> script) and then pointing the  403.4 message to this file (not tested yet).
> Are there any other solutions?
> 
> Thanks
> Victor
> 
> 
> 

~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275600
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[George Abraham]

You know, the best thing to do might be to give them a "domain not found"
error when they enter in xyzdomain.com. That way, they do recheck the
address.

George

On 4/17/07, George Abraham <[EMAIL PROTECTED]> wrote:
>
> Hmm, that is true, the middle site would also have to have the SSL cert
> cover it.
>
> George
>
> On 4/17/07, Victor Moore < [EMAIL PROTECTED]> wrote:
> >
> > Hi George,
> >
> > Thank you for your response. Unfortunately it won't work (as far as I
> > can
> > tell).
> > I am ding a redirection now, but the message pops up before the
> > redirection
> > occurs.
> > Either I'm doing something wrong or the only way to do it is to get a
> > wild
> > card ssl certificate that covers both domains : www.xyzdomain.com and
> > xyzdomain.com 
> >
> > Thanks
> > Victor
> >
> > On 4/17/07, George Abraham < [EMAIL PROTECTED]> wrote:
> > >
> > > Victor,
> > > If you do have access to the web server's configuration, why not
> > define a
> > > site called https://xyzdomain.com and then have a single page in the
> > home
> > > directory there that redirects to the correct site:
> > > https://www.xyzdomain.com ? I usually have a single such directory
> > that I
> > > have all such sites point to and there I have a index.cfm page that
> > > essentially has this code:
> > >
> > > 
> > >  > > url="https://www.#CGI.HTTP_HOST#')"
> > addtoken="No">
> > > 
> > >
> > > or some similar type of code. Other people may have better solutions
> > > though.
> > >
> > > HTH
> > > George
> > >
> > >
> >
> >
> > 

~|
ColdFusion MX7 by Adobe®
Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. 
Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275596
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[George Abraham]

Hmm, that is true, the middle site would also have to have the SSL cert
cover it.

George

On 4/17/07, Victor Moore <[EMAIL PROTECTED]> wrote:
>
> Hi George,
>
> Thank you for your response. Unfortunately it won't work (as far as I can
> tell).
> I am ding a redirection now, but the message pops up before the
> redirection
> occurs.
> Either I'm doing something wrong or the only way to do it is to get a wild
> card ssl certificate that covers both domains : www.xyzdomain.com and
> xyzdomain.com 
>
> Thanks
> Victor
>
> On 4/17/07, George Abraham <[EMAIL PROTECTED]> wrote:
> >
> > Victor,
> > If you do have access to the web server's configuration, why not define
> a
> > site called https://xyzdomain.com and then have a single page in the
> home
> > directory there that redirects to the correct site:
> > https://www.xyzdomain.com? I usually have a single such directory that I
> > have all such sites point to and there I have a index.cfm page that
> > essentially has this code:
> >
> > 
> > https://www.#CGI.HTTP_HOST#')" addtoken="No">
> > 
> >
> > or some similar type of code. Other people may have better solutions
> > though.
> >
> > HTH
> > George
> >
> >
>
>
> 

~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275595
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[Victor Moore]

Hi George,

Thank you for your response. Unfortunately it won't work (as far as I can
tell).
I am ding a redirection now, but the message pops up before the redirection
occurs.
Either I'm doing something wrong or the only way to do it is to get a wild
card ssl certificate that covers both domains : www.xyzdomain.com and
xyzdomain.com 

Thanks
Victor

On 4/17/07, George Abraham <[EMAIL PROTECTED]> wrote:
>
> Victor,
> If you do have access to the web server's configuration, why not define a
> site called https://xyzdomain.com and then have a single page in the home
> directory there that redirects to the correct site:
> https://www.xyzdomain.com? I usually have a single such directory that I
> have all such sites point to and there I have a index.cfm page that
> essentially has this code:
>
> 
> https://www.#CGI.HTTP_HOST#')" addtoken="No">
> 
>
> or some similar type of code. Other people may have better solutions
> though.
>
> HTH
> George
>
>


~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275589
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL Domain redirect without error message

[George Abraham]

Victor,
If you do have access to the web server's configuration, why not define a
site called https://xyzdomain.com and then have a single page in the home
directory there that redirects to the correct site:
https://www.xyzdomain.com? I usually have a single such directory that I
have all such sites point to and there I have a index.cfm page that
essentially has this code:


https://www.#CGI.HTTP_HOST#')" addtoken="No">


or some similar type of code. Other people may have better solutions though.

HTH
George



On 4/17/07, Victor Moore <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I have the following scenario:
> site: https://www.xyzdomain.com has a valid SSL certificate
> if users type https://xyzdomain.com they get invalid
> cert error.
>
> What is the best way to do a redirect (from https://xyzdomain.com  to
> https://www.xyzdomain.com  )  without getting an
> error.
> One possible solution (I think) is to have  a redirect file (basically a
> js
> script) and then pointing the  403.4 message to this file (not tested
> yet).
> Are there any other solutions?
>
> Thanks
> Victor
>


~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275586
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: SSL and Flash

[Robertson-Ravo, Neil (RX)]

As Kevin noted, you are probably not referencing it as https in your code.






"This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant,
Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business,
Registered in England, Number 678540.  It contains information which is
confidential and may also be privileged.  It is for the exclusive use of the
intended recipient(s).  If you are not the intended recipient(s) please note
that any form of distribution, copying or use of this communication or the
information in it is strictly prohibited and may be unlawful.  If you have
received this communication in error please return it to the sender or call
our switchboard on +44 (0) 20 89107910.  The opinions expressed within this
communication are not necessarily those expressed by Reed Exhibitions." 
Visit our website at http://www.reedexpo.com

-Original Message-
From: Matthew Irwin
To: CF-Talk
Sent: Fri Dec 01 20:45:24 2006
Subject: Re: SSL and Flash

I understand that an that port is open. But would you know as to why my
Flash
Forms will not appear unless I put it under a vitual directery that is not
SSL.
Is there a setting in Cold Fusion I am missing?
Thanks

>Well 443 is the SSL port.
>
>
>
>
>
>"This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant,
>Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business,
>Registered in England, Number 678540.  It contains information which is
>confidential and may also be privileged.  It is for the exclusive use of
the
>intended recipient(s).  If you are not the intended recipient(s) please
note
>that any form of distribution, copying or use of this communication or the
>information in it is strictly prohibited and may be unlawful.  If you have
>received this communication in error please return it to the sender or call
>our switchboard on +44 (0) 20 89107910.  The opinions expressed within this
>communication are not necessarily those expressed by Reed Exhibitions." 
>Visit our website at http://www.reedexpo.com
>
>-Original Message-
>From: Matthew Irwin
>To: CF-Talk
>Sent: Fri Dec 01 19:06:24 2006
>Subject: SSL and Flash
>
>I' am trying to use flash 8 and every time when try to pull up the flash
>form ina secured sockets it will not come up but if i do it ouside of a ssl
>then it will. is there a prot that i need to allow?



~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262542
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: SSL and Flash

[Kevin Aebig]

If you mean you're displaying a page within SSl and it isn't showing, that's
mainly because the code to embed it is referencing non-https urls. Check the
embed/object tag to see if the codebase url and the others also point to
their SSL mirrors.

Cheers,

!k 

-Original Message-
From: Matthew Irwin [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 01, 2006 1:06 PM
To: CF-Talk
Subject: SSL and Flash

I' am trying to use flash 8 and every time when try to pull up the flash
form ina secured sockets it will not come up but if i do it ouside of a ssl
then it will. is there a prot that i need to allow?



~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262530
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: SSL and Flash

[Matthew Irwin]

I understand that an that port is open. But would you know as to why my Flash
Forms will not appear unless I put it under a vitual directery that is not SSL.
Is there a setting in Cold Fusion I am missing?
Thanks

>Well 443 is the SSL port.
>
>
>
>
>
>"This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant,
>Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business,
>Registered in England, Number 678540.  It contains information which is
>confidential and may also be privileged.  It is for the exclusive use of the
>intended recipient(s).  If you are not the intended recipient(s) please note
>that any form of distribution, copying or use of this communication or the
>information in it is strictly prohibited and may be unlawful.  If you have
>received this communication in error please return it to the sender or call
>our switchboard on +44 (0) 20 89107910.  The opinions expressed within this
>communication are not necessarily those expressed by Reed Exhibitions." 
>Visit our website at http://www.reedexpo.com
>
>-Original Message-
>From: Matthew Irwin
>To: CF-Talk
>Sent: Fri Dec 01 19:06:24 2006
>Subject: SSL and Flash
>
>I' am trying to use flash 8 and every time when try to pull up the flash
>form ina secured sockets it will not come up but if i do it ouside of a ssl
>then it will. is there a prot that i need to allow?

~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262529
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4