Re: OT: SSL Necessary? Important?
On Thursday 24 Jan 2008, Rick Faircloth wrote: > I think the important thing here is to anything and everything > the client wants as long as they're willing to pay for it, Hell yes :-) -- Tom Chiverton Helping to dynamically strategize plug-and-play e-business on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297558 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
A quote From "O Brother, Where Art Thou?" "This stew's awful good." Wash responds, "You think so? I slaughtered this horse last Tuesday. I'm afraid she's startin' to turn." Just sayin'... ;) On Jan 25, 2008 5:33 PM, James Holmes <[EMAIL PROTECTED]> wrote: > Yes, wildcard certs work fine under Apache too. > > On Jan 26, 2008 2:20 AM, Dave Watts <[EMAIL PROTECTED]> wrote: > > > I'd like to see some proof of this. Is this only with > > > wildcard certs (in which case it would only work for > > > *.domainname.com), or it is for any kind of cert (such that > > > you can have www.example.com and www.example2.com) on the > > > same IP with no SSL problems? > > > > Wildcard certs only. I neglected to mention that in my initial response, > but > > added it in a followup. > > -- > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297504 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
Oh, come on James! What's a little cannibalism between friends! :o) > -Original Message- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 6:44 PM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Depending on local laws, there are some things to which you simply > can't agree. For example, I can't agree that you can kill me and cook > me for dinner tonight - in most locations you are still going to be > charged with murder, no matter what agreements we had in place. > > On Jan 26, 2008 5:40 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > I agree to a point, Claude... you're right that anything can > > be overturned, but having a prior agreement is always good to have > > on your side in court. > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297506 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Depending on local laws, there are some things to which you simply can't agree. For example, I can't agree that you can kill me and cook me for dinner tonight - in most locations you are still going to be charged with murder, no matter what agreements we had in place. On Jan 26, 2008 5:40 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > I agree to a point, Claude... you're right that anything can > be overturned, but having a prior agreement is always good to have > on your side in court. > > There would have to be gross negligence on a company's part to > have the prior legal agreement ignored. > > I think everyone in our discussion is right, to a point. > > And, btw, I have no connection to Zillow.com. I just happened to > be on that site when the question about liability came up. > > I will say that if I ever do get sued because passwords and usernames > were stolen from my company and I lost a case because someone's bank > account was drained because it used the same password and username, > I would absolutely start forcing my passwords on everyone. > > To this point, I've had no problem. And we all try to balance > user-friendliness and security. But someone is always being bitten. > Everyone is just playing a game of Russian Roulette and hoping we're > not the one facing a round in the chamber. > > Rick > > > -Original Message- > > From: Claude Schneegans [mailto:[EMAIL PROTECTED] > > Sent: Friday, January 25, 2008 1:36 PM > > To: CF-Talk > > Subject: Re: SSL Necessary? Important? > > > > >>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR > > ANY DAMAGES > > > > I'm sorry, but just from the very begining, this statement has > > absolutely no value. > > I hope you didn't pay a lawyer to write it. > > > > Nobody can state, in advance on not that "he is not liable or responsible". > > ONLY a judge in court can make this decision, only based on facts. > > If you have been careless in an issue, EVEN if you warned the plaintiff that > > you are not liable, the judge can decide that you are responsible. > > > > The only utility of such notice is may be 1. to make unaware customers > > believe they can't go to court, > > 2. to make them do their part about security. > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297497 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
My only point about Zillow.com's terms holds them unaccountable for any problems you experiences from using their site. They state: >(A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR >(D) ANY OTHER CAUSE OF ACTION Sounds to me like, whether it's because of a weak password or whatever, they can't be held liable. And in the final clause, they simply state that if you don't like those terms, don't use the service. Those terms sound fine to me. Even if I have no security for people's password, personal info, etc., sounds to me like the terms above protects me under any circumstance, including (C), negligence. Now concerning Sharebuilder.com's position: First, your link was a PR departments "friendly-face", "warm-and-fuzzy" explanation of how they'll take care of you and provide you with security. However, the legal departments position, and the only one that counts is: http://www.sharebuilder.com/sharebuilder/Legal/Default.aspx, particularly in our discussion, point 27: 27) Security and Confidentiality You agree that you will be fully responsible for the confidentiality of your user name and password. You further agree that you will be fully and solely responsible for all activities, including brokerage transactions, that arise from the use of your user name and password. You will immediately notify us in writing or by e-mail of any loss, theft or unauthorized use of your user name, password and/or account number(s). So, their "bottom line" is that you're responsible for "all activities", brokerage or otherwise, "that arise from the use of your user name and password." So, again, they positioned themselves so that only the client is at risk if somebody finds out about their user name and password and abuses it. At least that's my take... Rick > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 12:52 PM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > I'm not sure how Zillow.com's terms supports your "My strong password or > else" argument (which is what I thought this was) as all you did was show me > their terms of use. > > Now try to find one one here - > http://www.sharebuilder.com/sharebuilder/Security/Default.aspx > > I can choose any password I want there. I'm sure that Sharebuilder probably > has real time monitoring going on and Zillow doesn't. Is that what the > difference between the terms are? Real time "we got your back security" > versus some real estate website listing properties? *shrugs* No idea. > > On Jan 25, 2008 12:02 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > Here's some of the "Terms" for use of Zillow.com... a Real Estate listing > > website. > > > > 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR > > ANY SUPPLIER BE LIABLE FOR > > ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, > > SPECIAL, INCIDENTAL, OR > > PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS > > OF USE OR YOUR USE OF THE > > SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH > > DAMAGES. THE EXCLUSION OF > > DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND > > SURVIVES IN THE EVENT SUCH > > REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED > > UNENFORCEABLE. THESE LIMITATIONS AND > > EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) > > BREACH OF CONTRACT, (B) BREACH > > OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE > > EXTENT SUCH EXCLUSION AND > > LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH > > ANY PART OF THESE TERMS > > OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS > > SUPPLIERS WITH RESPECT TO THESE > > TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO > > DISCONTINUE USING THE > > SERVICES. > > > > Now that pretty iron-clad legally, I think, that no matter what you do, > > password or other-wise, they're not going to pay for it. Quite > > "bottom-line", "my way or the highway", especially that last clause... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297476 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
Yes, wildcard certs work fine under Apache too. On Jan 26, 2008 2:20 AM, Dave Watts <[EMAIL PROTECTED]> wrote: > > I'd like to see some proof of this. Is this only with > > wildcard certs (in which case it would only work for > > *.domainname.com), or it is for any kind of cert (such that > > you can have www.example.com and www.example2.com) on the > > same IP with no SSL problems? > > Wildcard certs only. I neglected to mention that in my initial response, but > added it in a followup. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297489 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
I agree to a point, Claude... you're right that anything can be overturned, but having a prior agreement is always good to have on your side in court. There would have to be gross negligence on a company's part to have the prior legal agreement ignored. I think everyone in our discussion is right, to a point. And, btw, I have no connection to Zillow.com. I just happened to be on that site when the question about liability came up. I will say that if I ever do get sued because passwords and usernames were stolen from my company and I lost a case because someone's bank account was drained because it used the same password and username, I would absolutely start forcing my passwords on everyone. To this point, I've had no problem. And we all try to balance user-friendliness and security. But someone is always being bitten. Everyone is just playing a game of Russian Roulette and hoping we're not the one facing a round in the chamber. Rick > -Original Message- > From: Claude Schneegans [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 1:36 PM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > >>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR > ANY DAMAGES > > I'm sorry, but just from the very begining, this statement has > absolutely no value. > I hope you didn't pay a lawyer to write it. > > Nobody can state, in advance on not that "he is not liable or responsible". > ONLY a judge in court can make this decision, only based on facts. > If you have been careless in an issue, EVEN if you warned the plaintiff that > you are not liable, the judge can decide that you are responsible. > > The only utility of such notice is may be 1. to make unaware customers > believe they can't go to court, > 2. to make them do their part about security. > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297475 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
> Here's some of the "Terms" for use of Zillow.com... a Real > Estate listing website. > > 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL > ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES ... > > Now that pretty iron-clad legally, I think, that no matter > what you do, password or other-wise, they're not going to pay > for it. Quite "bottom-line", "my way or the highway", > especially that last clause... They can write whatever they want. That doesn't make it legally binding. If I recall correctly, you generally cannot limit liability in cases of negligence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
>>IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES I'm sorry, but just from the very begining, this statement has absolutely no value. I hope you didn't pay a lawyer to write it. Nobody can state, in advance on not that "he is not liable or responsible". ONLY a judge in court can make this decision, only based on facts. If you have been careless in an issue, EVEN if you warned the plaintiff that you are not liable, the judge can decide that you are responsible. The only utility of such notice is may be 1. to make unaware customers believe they can't go to court, 2. to make them do their part about security. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297448 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
I'm not sure how Zillow.com's terms supports your "My strong password or else" argument (which is what I thought this was) as all you did was show me their terms of use. Now try to find one one here - http://www.sharebuilder.com/sharebuilder/Security/Default.aspx I can choose any password I want there. I'm sure that Sharebuilder probably has real time monitoring going on and Zillow doesn't. Is that what the difference between the terms are? Real time "we got your back security" versus some real estate website listing properties? *shrugs* No idea. On Jan 25, 2008 12:02 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > Here's some of the "Terms" for use of Zillow.com... a Real Estate listing > website. > > 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR > ANY SUPPLIER BE LIABLE FOR > ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, > SPECIAL, INCIDENTAL, OR > PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS > OF USE OR YOUR USE OF THE > SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH > DAMAGES. THE EXCLUSION OF > DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND > SURVIVES IN THE EVENT SUCH > REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED > UNENFORCEABLE. THESE LIMITATIONS AND > EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) > BREACH OF CONTRACT, (B) BREACH > OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE > EXTENT SUCH EXCLUSION AND > LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH > ANY PART OF THESE TERMS > OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS > SUPPLIERS WITH RESPECT TO THESE > TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO > DISCONTINUE USING THE > SERVICES. > > Now that pretty iron-clad legally, I think, that no matter what you do, > password or other-wise, they're not going to pay for it. Quite > "bottom-line", "my way or the highway", especially that last clause... > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297447 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
> Anyway, the problem with strong passwords is they're not > easily, if at all, memorable. That doesn't have to be true: http://en.wikipedia.org/wiki/Passphrase Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297445 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
I can assure you that I'm not your wife and there are some areas where I'm very cut to the chase and other areas where I have learned to be more flexible I guess. :) On Jan 25, 2008 11:40 AM, Rick Faircloth wrote: > You sound like my wife who's always telling me to be more civil and stop > that "my way or the highway" kind of talk when I discuss issues. It's not > that it's my way or the highway, I just tend to "cut to the chase" in > getting > to the bottom line and not phrasing my position very "diplomatically." > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297444 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
> I'd like to see some proof of this. Is this only with > wildcard certs (in which case it would only work for > *.domainname.com), or it is for any kind of cert (such that > you can have www.example.com and www.example2.com) on the > same IP with no SSL problems? Wildcard certs only. I neglected to mention that in my initial response, but added it in a followup. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297443 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Here's some of the "Terms" for use of Zillow.com... a Real Estate listing website. 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS OF USE OR YOUR USE OF THE SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE EXCLUSION OF DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND SURVIVES IN THE EVENT SUCH REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED UNENFORCEABLE. THESE LIMITATIONS AND EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE EXTENT SUCH EXCLUSION AND LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH ANY PART OF THESE TERMS OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS SUPPLIERS WITH RESPECT TO THESE TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SERVICES. Now that pretty iron-clad legally, I think, that no matter what you do, password or other-wise, they're not going to pay for it. Quite "bottom-line", "my way or the highway", especially that last clause... > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 11:04 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Rick, > > I get it. I do. What I'm suggesting is instead of cramming down a password > down the throat to use clearly written english description of what a STRONG > password would be and to use validation to determine what's a strong / weak > passwords. There's plenty of javascript / serverside validation methods for > doing this, it doesn't take that long to write a custom one. I wrote a > custom one that I thought was pretty good until I came across a password > issue that I had to debug and during that time, I realized that the client > was using their email address as a password so I beefed up my validation > even more and wrote another bullet of you can't use (first name, last name, > email address, phone number, etc). > > People do the damndest things and they don't think about their own security > sometimes, but I would still rather write the rules up and enforce those > rules than say "my way or the highway." When I come across issues like > that, I have a 2 simple little actions in my admin 1.) Force new password > upon next login or 2.) Send new random strong password now and make them > change it upon next login. > > I want them to be educated and use a strong password that they're going to > remember and they're not going to write it down on a slip of paper because I > won't let them change it otherwise. Anyway, we'll just agree to disagree. > It's ok. Two very valid opinions. > > ~Todd > > On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > I don't see anywhere in those terms that a lawyer could *without a doubt* > > use to hold Google harmless if Google's servers were hacked (their fault) > > and a client's login info stolen and used to access a bank account. > > > > I think a jury would see Google as liable for their failed security. > > But I'm no lawyer... > > > > I do however, begin to get concerned when clients want their personal data > > "secured" that a weak password could come back to bite them and me as > > well. > > The weak password, it would seem to me, would have to be the result of a > > user's sole choice, bypassing all guidance and cautions that I provide, > > including > > a strong password option. > > > > It is an interesting discussion. As my clients become more widespread and > > less > > "personal", the chance of lawsuits increases. > > > > Just want to protect my "assets"... > > > > Rick > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297439 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
You sound like my wife who's always telling me to be more civil and stop that "my way or the highway" kind of talk when I discuss issues. It's not that it's my way or the highway, I just tend to "cut to the chase" in getting to the bottom line and not phrasing my position very "diplomatically." Besides, I've only had half a cup of coffee this morning at this point. :o| (Aaarf!) Anyway, the problem with strong passwords is they're not easily, if at all, memorable. I'd rather a user have strong passwords, different ones for every instance where they need one, and write them down (preferably not on a post-it-note on the screen ;o) where they can access them, than to try to remember all the passwords they use, which can literally be hundreds, these days. The biggest danger is not when someone robs their home (don't put the bank account passwords on paper), but hackers gaining access via email snooping, intercepting data flow, or breaking into companies that maintain confidential data. At least if someone breaks into my home, I know that my passwords are compromised. If they just get the info from an online account, I wouldn't have a clue for awhile. Rick > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 11:04 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Rick, > > I get it. I do. What I'm suggesting is instead of cramming down a password > down the throat to use clearly written english description of what a STRONG > password would be and to use validation to determine what's a strong / weak > passwords. There's plenty of javascript / serverside validation methods for > doing this, it doesn't take that long to write a custom one. I wrote a > custom one that I thought was pretty good until I came across a password > issue that I had to debug and during that time, I realized that the client > was using their email address as a password so I beefed up my validation > even more and wrote another bullet of you can't use (first name, last name, > email address, phone number, etc). > > People do the damndest things and they don't think about their own security > sometimes, but I would still rather write the rules up and enforce those > rules than say "my way or the highway." When I come across issues like > that, I have a 2 simple little actions in my admin 1.) Force new password > upon next login or 2.) Send new random strong password now and make them > change it upon next login. > > I want them to be educated and use a strong password that they're going to > remember and they're not going to write it down on a slip of paper because I > won't let them change it otherwise. Anyway, we'll just agree to disagree. > It's ok. Two very valid opinions. > > ~Todd > > On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > I don't see anywhere in those terms that a lawyer could *without a doubt* > > use to hold Google harmless if Google's servers were hacked (their fault) > > and a client's login info stolen and used to access a bank account. > > > > I think a jury would see Google as liable for their failed security. > > But I'm no lawyer... > > > > I do however, begin to get concerned when clients want their personal data > > "secured" that a weak password could come back to bite them and me as > > well. > > The weak password, it would seem to me, would have to be the result of a > > user's sole choice, bypassing all guidance and cautions that I provide, > > including > > a strong password option. > > > > It is an interesting discussion. As my clients become more widespread and > > less > > "personal", the chance of lawsuits increases. > > > > Just want to protect my "assets"... > > > > Rick > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297437 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
I'd like to see some proof of this. Is this only with wildcard certs (in which case it would only work for *.domainname.com), or it is for any kind of cert (such that you can have www.example.com and www.example2.com) on the same IP with no SSL problems? Russ > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 7:09 PM > To: CF-Talk > Subject: RE: OT: SSL Necessary? Important? > > > typically no, because "virtual hosting" relies on host > > headers. The web server doesn't receive the headers until > > after the connection is established. > > This appears to no longer be the case with IIS 6, at least. To be honest, > I'm not exactly sure how this works with IIS 6, but it appears that you > can > have multiple virtual servers sharing the same IP address for SSL/TLS. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297431 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
Rick, I get it. I do. What I'm suggesting is instead of cramming down a password down the throat to use clearly written english description of what a STRONG password would be and to use validation to determine what's a strong / weak passwords. There's plenty of javascript / serverside validation methods for doing this, it doesn't take that long to write a custom one. I wrote a custom one that I thought was pretty good until I came across a password issue that I had to debug and during that time, I realized that the client was using their email address as a password so I beefed up my validation even more and wrote another bullet of you can't use (first name, last name, email address, phone number, etc). People do the damndest things and they don't think about their own security sometimes, but I would still rather write the rules up and enforce those rules than say "my way or the highway." When I come across issues like that, I have a 2 simple little actions in my admin 1.) Force new password upon next login or 2.) Send new random strong password now and make them change it upon next login. I want them to be educated and use a strong password that they're going to remember and they're not going to write it down on a slip of paper because I won't let them change it otherwise. Anyway, we'll just agree to disagree. It's ok. Two very valid opinions. ~Todd On Jan 25, 2008 10:43 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > I don't see anywhere in those terms that a lawyer could *without a doubt* > use to hold Google harmless if Google's servers were hacked (their fault) > and a client's login info stolen and used to access a bank account. > > I think a jury would see Google as liable for their failed security. > But I'm no lawyer... > > I do however, begin to get concerned when clients want their personal data > "secured" that a weak password could come back to bite them and me as > well. > The weak password, it would seem to me, would have to be the result of a > user's sole choice, bypassing all guidance and cautions that I provide, > including > a strong password option. > > It is an interesting discussion. As my clients become more widespread and > less > "personal", the chance of lawsuits increases. > > Just want to protect my "assets"... > > Rick > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297427 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
I don't see anywhere in those terms that a lawyer could *without a doubt* use to hold Google harmless if Google's servers were hacked (their fault) and a client's login info stolen and used to access a bank account. I think a jury would see Google as liable for their failed security. But I'm no lawyer... I do however, begin to get concerned when clients want their personal data "secured" that a weak password could come back to bite them and me as well. The weak password, it would seem to me, would have to be the result of a user's sole choice, bypassing all guidance and cautions that I provide, including a strong password option. It is an interesting discussion. As my clients become more widespread and less "personal", the chance of lawsuits increases. Just want to protect my "assets"... Rick > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 9:35 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Would you consider gmail to be pretty important if you used it daily like I > do? Let's take a look at what Google says in their EULA: > > = > 6. Your passwords and account security > > 6.1 You agree and understand that you are responsible for maintaining the > confidentiality of passwords associated with any account you use to access > the Services. > > 6.2 Accordingly, you agree that you will be solely responsible to Google for > all activities that occur under your account. > > 6.3 If you become aware of any unauthorized use of your password or of your > account, you agree to notify Google immediately at [snipped URL]. > = > > I don't remember that gmail had very strict password rules. Yet their > legalese basically negates the need since they pretty much label you > responsible for everything that happens under your account. If my bank gets > hacked because I use my same username / password as my gmail and it was > obtained via gmail somehow, does that legalese mean Google is in the clear? > > ~Todd > > On Jan 25, 2008 9:17 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > Well, I was just kinda "giving the bottom line". Of course, in the real > > world, a much "kinder, gentler" way of saying it would be appropriate. > > > > I can also compromise by letting you choose your password, but stipulate > > that it require one or more of certain characters, a mix of caps and lower > > case, etc., > > or I can allow you to choose your own password without any stipulations, > > but you have to sign a waiver holding me harmless. > > > > I don't see that as unreasonable. You get to decide how to handle your > > password, if you like, but you just can't blame me in the case of a poor > > choice which leads to your ruin. I'm not going down with you... > > > > I think that's fair. > > > > I'll be most EUA's have something like that buried in their "legalize". > > > > Thoughts? > > > > Rick > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297424 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Would you consider gmail to be pretty important if you used it daily like I do? Let's take a look at what Google says in their EULA: = 6. Your passwords and account security 6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services. 6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account. 6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at [snipped URL]. = I don't remember that gmail had very strict password rules. Yet their legalese basically negates the need since they pretty much label you responsible for everything that happens under your account. If my bank gets hacked because I use my same username / password as my gmail and it was obtained via gmail somehow, does that legalese mean Google is in the clear? ~Todd On Jan 25, 2008 9:17 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > Well, I was just kinda "giving the bottom line". Of course, in the real > world, a much "kinder, gentler" way of saying it would be appropriate. > > I can also compromise by letting you choose your password, but stipulate > that it require one or more of certain characters, a mix of caps and lower > case, etc., > or I can allow you to choose your own password without any stipulations, > but you have to sign a waiver holding me harmless. > > I don't see that as unreasonable. You get to decide how to handle your > password, if you like, but you just can't blame me in the case of a poor > choice which leads to your ruin. I'm not going down with you... > > I think that's fair. > > I'll be most EUA's have something like that buried in their "legalize". > > Thoughts? > > Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297417 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Well, I was just kinda "giving the bottom line". Of course, in the real world, a much "kinder, gentler" way of saying it would be appropriate. I can also compromise by letting you choose your password, but stipulate that it require one or more of certain characters, a mix of caps and lower case, etc., or I can allow you to choose your own password without any stipulations, but you have to sign a waiver holding me harmless. I don't see that as unreasonable. You get to decide how to handle your password, if you like, but you just can't blame me in the case of a poor choice which leads to your ruin. I'm not going down with you... I think that's fair. I'll be most EUA's have something like that buried in their "legalize". Thoughts? Rick > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 8:51 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > Rick, is it really not possible to compromise? It's one thing to enforce > and shove a password down my throat... it's something else to educate the > end-user on what a "strong" password is. > > On Jan 25, 2008 8:46 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > No problem... if you won't let me choose your password to make sure > > you and I are both protected, then you have to agree not to hold me > > accountable for any problems that occur as a result of your weak > > password. Accept a strong password, or sign a waiver... simple. > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297415 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
Rick, is it really not possible to compromise? It's one thing to enforce and shove a password down my throat... it's something else to educate the end-user on what a "strong" password is. On Jan 25, 2008 8:46 AM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > No problem... if you won't let me choose your password to make sure > you and I are both protected, then you have to agree not to hold me > accountable for any problems that occur as a result of your weak > password. Accept a strong password, or sign a waiver... simple. > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297413 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
No problem... if you won't let me choose your password to make sure you and I are both protected, then you have to agree not to hold me accountable for any problems that occur as a result of your weak password. Accept a strong password, or sign a waiver... simple. > -Original Message- > From: Rick Root [mailto:[EMAIL PROTECTED] > Sent: Friday, January 25, 2008 8:20 AM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > One solution that I have used is to allow users to choose their username, > > usually just their email address, but I force a very strong password > > on them generated with CF. > > Nothing annoys me more, personally, than a web site that won't let me > choose my own password. Such sites are rare, thank god. > > But second on the list of annoying password things is password rules > that don't make sense to me or seem random. One bank says your > password cannot end in a number. Another says you have to have two > numbers. > > Then you get the sites that don't LET you use special characters. > That *REALLY* annoys me. Nothing worse than a web site that forces > you to lower your password strength to fit their rules. > > And finally, I deal with one company that forces your password to all > lower case. PSNC Energy does that. Incredibly lame. > > -- > Rick Root > New Brian Vander Ark Album, songs in the music player and cool behind > the scenes video at www.myspace.com/brianvanderark > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297412 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote: > One solution that I have used is to allow users to choose their username, > usually just their email address, but I force a very strong password > on them generated with CF. Nothing annoys me more, personally, than a web site that won't let me choose my own password. Such sites are rare, thank god. But second on the list of annoying password things is password rules that don't make sense to me or seem random. One bank says your password cannot end in a number. Another says you have to have two numbers. Then you get the sites that don't LET you use special characters. That *REALLY* annoys me. Nothing worse than a web site that forces you to lower your password strength to fit their rules. And finally, I deal with one company that forces your password to all lower case. PSNC Energy does that. Incredibly lame. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297411 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
I'm not in a shared environment. I have my own VPS. > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 7:47 PM > To: CF-Talk > Subject: RE: OT: SSL Necessary? Important? > > > I've never implemented and SSL cert, so I'm not sure, but I > > thought each SSL had to have a dedicated IP. ??? > > This used to be the case, but isn't any more: > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5 > 96b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true > > However, I'm pretty sure this is limited to wildcard certificates, which > probably isn't too helpful in a shared hosting environment. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297386 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
> Is the SSL encryption overkill for something like this? Or > would it be advisable? How big a security risk is there for > personal info like this? The security risk is probably acceptable for your client, even if they don't know that. However, it's so cheap to use SSL that you might as well do that instead. > Is it easy to hack without SSL? SSL/TLS prevents third parties from being able to read traffic between the two endpoints of an encrypted conversation - the browser and the server. It doesn't prevent the client from hacking anything, and that may be a more serious concern. It is very easy to read plaintext data if you're on the same network segment as an unencrypted conversation. If you go down to your local coffee shop and use the free wifi, you can easily read data from other users who aren't using SSL/TLS or tunnelling all their traffic through a VPN or SSH connection. For example, I give you the wall of sheep: http://blog.makezine.com/archive/2005/07/_defcon_the_wal.html But, to see this data, you have to be on the same network segment, which limits the scope of any surveillance quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297382 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
> I tell clients with "public" web sites that they probably > need a cert from a popular reputable provider in order to > avoid the browser warning. But the thing to remember is that > (in most cases) the warning is saying that "your company" may > not be ok ... Not that the information is unencrypted or less > secure. SSL works the same whether you are using a commercial > cert or a self-signed cert... You data is still encrypted, > it's just that the browser can't "check" with anyone to prove > you are a reputable business. Having said that, the only > thing really required to "prove" you are reputable is that > you shell out to Verisign or someone to say it on your behalf > - so it really is a sort of protection racket. This has nothing to do with whether your business is reputable. It has to do with whether your business is, in fact, the business it identifies itself as. The certificate authority that issues your certificate identifies your business as an ongoing concern, and the owner of the domain in question. So, when users go to that domain, the certificate authority guarantees that you are in fact the legitimate owner of that domain, and that they're actually visiting the domain they typed into the browser. The purpose of SSL/TLS is not just encryption, it's verification. This is no more a protection racket than, say, state-issued drivers licenses. You are free to create your own certificate authority, and convince Microsoft and the Mozilla Foundation to include your own root certificate in their browsers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297380 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
> I've never implemented and SSL cert, so I'm not sure, but I > thought each SSL had to have a dedicated IP. ??? This used to be the case, but isn't any more: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5 96b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true However, I'm pretty sure this is limited to wildcard certificates, which probably isn't too helpful in a shared hosting environment. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297379 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
> Why would anybody spend more then $20 a year on an SSL cert? > Godaddy's certs are perfectly adequate. unless you have a large enough number of users visiting your site, in which case some of them with older computers won't recognize the certificate as valid because they don't have the appropriate root certificates installed. Here's a good breakdown (in my opinion, of course) of how to determine what sort of certificate to buy: http://www.boutell.com/newfaq/creating/whichcert.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
> typically no, because "virtual hosting" relies on host > headers. The web server doesn't receive the headers until > after the connection is established. This appears to no longer be the case with IIS 6, at least. To be honest, I'm not exactly sure how this works with IIS 6, but it appears that you can have multiple virtual servers sharing the same IP address for SSL/TLS. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
> You can always generate a "bogus" certificate for free (Like > the default "Snake Oil" cert that is created by Apache). > > You will get the same level of encryption as a digitally signed cert > (i.e: one that costs money) but the browser will complain > about it not being signed or something of that nature I > forgot the details as it was a couple of years ago. Self-signed certificates aren't "bogus", and they are digitally signed. They're signed using the same software used to generate the certificate. These are admittedly small nits to pick, but additional clarity is usually a good thing. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297374 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
Godaddy certs are $20 all the time... I think they're on sale for $15 now or something... Russ > -Original Message- > From: Rick Root [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 5:29 PM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > On 1/24/08, Russ <[EMAIL PROTECTED]> wrote: > > Why would anybody spend more then $20 a year on an SSL cert? Godaddy's > > certs are perfectly adequate. > > That depends if it's an introductory rate or not. I wouldn't buy a > $20 cert if I had to pay $90 to renew it, rather I'd just buy the $25 > certs that I pointed out earlier, since it's not a "sale" > > Rick > > -- > Rick Root > New Brian Vander Ark Album, songs in the music player and cool behind > the scenes video at www.myspace.com/brianvanderark > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297370 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
On 1/24/08, Dawson, Michael <[EMAIL PROTECTED]> wrote: > It doesn't matter whose responsibility it is. If a bank account gets > hacked because of the church's web site, it will hurt the credibility of > the church. Yeah but God will protect them from that. Damn, now I'm going to hell. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
On 1/24/08, Russ <[EMAIL PROTECTED]> wrote: > Why would anybody spend more then $20 a year on an SSL cert? Godaddy's > certs are perfectly adequate. That depends if it's an introductory rate or not. I wouldn't buy a $20 cert if I had to pay $90 to renew it, rather I'd just buy the $25 certs that I pointed out earlier, since it's not a "sale" Rick -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297361 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
>>In a world of paranoia, SSL is *NEVER* overkill for protecting logins of any kind. provided you assume paranoia... -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
One solution that I have used is to allow users to choose their username, usually just their email address, but I force a very strong password on them generated with CF. I can control the parameters of the password and what characters are used as well as what length it is. They may not like it, but it's for their protection and mine. And if they forget that password, the system simply issues another equally strong one. Rick > -Original Message- > From: Todd [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 2:58 PM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > o_O > > Mike, if your bank account gets hacked dude because YOU used the same > username/password for every site the only person to blame here is YOU. I'm > sorry, but this thinking is just way backwards. Should the church also be > responsible if someone stole your ATM card and the PIN number just happened > to be the same as your password?! YOU made the mistake, not the church. > > I'm *in agreement *that account identity information needs to be encrypted > in the database. > > On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote: > > > It doesn't matter whose responsibility it is. If a bank account gets > > hacked because of the church's web site, it will hurt the credibility of > > the church. > > > > M!ke > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Yeah, I will agree with that. I'm two minds of this apparently. It's one thing if a simple forum has my username/password stolen, quite something different if my SSN was stolen. My co-worker gave the argument that if a username/password can be traced back to you and additional information can be gleamed and they can figure out your bank and manage to log in because your username/password was the same, then it's the original site that lost the data fault. My counterpoint was, If I let you borrow my car and I happened to give you my entire keyring instead of just giving you the keys to the car, was it your fault or mine when you got mugged and the keys (password) were taken from you (by a hacker) my car (data) got stolen and oh, by the way, now my house ( the bank ) got robbed? In my opinion, We were both at fault there. I stupidly gave you my entire keyring and you lost it/got mugged/whatever. I do understand what you are saying. I agree that personal identifying information needs to be encrypted and secured. SSL (or TSL or whatever the hell you want to call it now) is an extra layer. Does SSL belong on a simple forum? Not sure. Does it belong on a site that is doing any kind of transactions? Certainly. I think adding a robust privacy policies and terms of agreements are a good thing as well. Ensuring the end user that the data is encrypted and laying down exactly what you're responsible for. It's one thing for data to be compromised on your website, something entirely different when the end user didn't secure themselves by using the same username/password and now their bank got cleaned out. Maybe we all take information for granted for how freely its flowing out there? I may have to rethink all this... I have no idea anymore. I argued myself into a circle. ;) On Jan 24, 2008 3:57 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote: > You are missing my point. I'm not saying a person is not responsible for > their own credentials, however, you know how the media is. > > My original point was that it is too inexpensive NOT to secure the > information. Especially, to protect dummy people from themselves. I > care about the other guy even if the other guy gots not smarts. > > M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
Possibly... but the Scripture also teaches Christians to be wise as serpents... :o) Rick > -Original Message- > From: Claude Schneegans [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 12:45 PM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > >>But the church is also asking about an encrypted connection using an SSL > certificate. > > What a meanness! Don't they have some sort of divine protection already? ;-) > > -- > ___ > REUSE CODE! Use custom tags; > See http://www.contentbox.com/claude/customtags/tagstore.cfm > (Please send any spam to this address: [EMAIL PROTECTED]) > Thanks. > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297352 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
You are missing my point. I'm not saying a person is not responsible for their own credentials, however, you know how the media is. My original point was that it is too inexpensive NOT to secure the information. Especially, to protect dummy people from themselves. I care about the other guy even if the other guy gots not smarts. M!ke -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 1:58 PM To: CF-Talk Subject: Re: SSL Necessary? Important? o_O Mike, if your bank account gets hacked dude because YOU used the same username/password for every site the only person to blame here is YOU. I'm sorry, but this thinking is just way backwards. Should the church also be responsible if someone stole your ATM card and the PIN number just happened to be the same as your password?! YOU made the mistake, not the church. I'm *in agreement *that account identity information needs to be encrypted in the database. On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote: > It doesn't matter whose responsibility it is. If a bank account gets > hacked because of the church's web site, it will hurt the credibility > of the church. > > M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297349 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. M!ke -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 10:21 AM To: CF-Talk Subject: Re: SSL Necessary? Important? >>Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. Ok, but it is not the church responsibility to protect you bank username and password. It's your problem. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297335 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
On 1/24/08, Todd <[EMAIL PROTECTED]> wrote: > While I agree that account identifying information should be encrypted in > the database, I don't agree that the church is responsible for the end > user's stupidity of using the same username/password for every website out > there. I would agree, I use special passwords for any of my accounts that involve credit cards, banks, etc I also use special passwords for my email accounts. then I don't worry about an unscrupulous web site manager running a church web site using the password I give the site for anything important. In a world of paranoia, SSL is *NEVER* overkill for protecting logins of any kind. But sometimes, it's easy to decide that it's not worth the $25/year - though that's really a small price to pay). -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
FYI: I have a blog on this topic... http://www.coldfusionmuse.com/index.cfm/2005/12/1/ca I tell clients with "public" web sites that they probably need a cert from a popular reputable provider in order to avoid the browser warning. But the thing to remember is that (in most cases) the warning is saying that "your company" may not be ok ... Not that the information is unencrypted or less secure. SSL works the same whether you are using a commercial cert or a self-signed cert... You data is still encrypted, it's just that the browser can't "check" with anyone to prove you are a reputable business. Having said that, the only thing really required to "prove" you are reputable is that you shell out to Verisign or someone to say it on your behalf - so it really is a sort of protection racket. -Mark -Original Message- From: Rick Root [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 11:17 AM To: CF-Talk Subject: Re: OT: SSL Necessary? Important? On 1/24/08, Tom Chiverton <[EMAIL PROTECTED]> wrote: > On Thursday 24 Jan 2008, James Holmes wrote: > > A dedicated IP is probably necessary with your host, since I assume > > you're sharing an IP right now. > > You can serve multiple different SSL'ed domains from the same IP, can't you ? > Your existing hose may also have a cheaper deal too. typically no, because "virtual hosting" relies on host headers. The web server doesn't receive the headers until after the connection is established. As for self-signing with OpenSSL - it's not a viable option at all unless you're doing it for an intranet or a site with a VERY VERY small base of users (like 2-3 users).. cuz then you can tell the 2-3 users to ignore the certificate warning. But that's STILL a security risk to you and those 2-3 users. I've found this reseller to be reliable and cheap - they've been in business for a long time and they're still there, and still cheap. http://www.spacereg.com/webcert.html the StarterSSL certificate is only $25/year with 96% browser recognition go up to the QuickSSL to get 99% recognition at $80/year... Rick -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297333 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
o_O Mike, if your bank account gets hacked dude because YOU used the same username/password for every site the only person to blame here is YOU. I'm sorry, but this thinking is just way backwards. Should the church also be responsible if someone stole your ATM card and the PIN number just happened to be the same as your password?! YOU made the mistake, not the church. I'm *in agreement *that account identity information needs to be encrypted in the database. On Jan 24, 2008 1:23 PM, Dawson, Michael <[EMAIL PROTECTED]> wrote: > It doesn't matter whose responsibility it is. If a bank account gets > hacked because of the church's web site, it will hurt the credibility of > the church. > > M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
>While I agree that account identifying information should be encrypted in the database, I don't agree that the church is responsible for the end user's stupidity of using the same username/password for every website out there. I agree, but tell this to all of the non-techies out there. We run across tons of secretaries who use their work user name for their personal web sites. They just don't quite understand the separation between web sites. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297342 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
Generally speaking, many (most?) hosts offer shared Certificates for free. You can get a free cert from http://cert.startcom.org/ I have done this before and it works fine for non e-commerce related stuff. I don't know all the details on what is what with these certificates as I spent one afternoon on it 2 years ago so I could lock down an intranet. You can always generate a "bogus" certificate for free (Like the default "Snake Oil" cert that is created by Apache). You will get the same level of encryption as a digitally signed cert (i.e: one that costs money) but the browser will complain about it not being signed or something of that nature I forgot the details as it was a couple of years ago. Jerry Guido Programmer MGT of America, Inc. [EMAIL PROTECTED] The information contained in this electronic communication is intended only for the use of the addressee, and may be a confidential communication. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. -Original Message- From: J.J. Merrick [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 9:10 AM To: CF-Talk Subject: Re: OT: SSL Necessary? Important? yeah, it really isn't bad. Depending on the host they might have a shared SSL cert you can use. Essentially they just map your site as a folder underneath a larger site. In the end it is like $20 for a low-end cert that will get you the encryption you want/need and a couple of bucks for a static IP a month from their webhost. J.J. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297318 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
Or RapidSSL for $13-15 per year. http://www.namecheap.com/learn/other-services/ssl-certificates.asp I bought a RapidSSL cert for our intranet yesterday and a QuickSSL cert for another site. Beside the domain name in the Subject, they're identical except for the entity listed as the Issuer. It's RapidSSL in one and GeoTrust in the other. That's all you're paying extra for. But RapidSSL is a division of GeoTrust and GeoTrust is now owned by Verisgn. The SSL certificate business is a racket. - Original Message - From: "Rick Root" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Thursday, January 24, 2008 10:16 AM Subject: Re: OT: SSL Necessary? Important? > On 1/24/08, Tom Chiverton <[EMAIL PROTECTED]> wrote: >> On Thursday 24 Jan 2008, James Holmes wrote: >> > A dedicated IP is probably necessary with your host, since I assume >> > you're sharing an IP right now. >> >> You can serve multiple different SSL'ed domains from the same IP, can't >> you ? >> Your existing hose may also have a cheaper deal too. > > typically no, because "virtual hosting" relies on host headers. The > web server doesn't receive the headers until after the connection is > established. > > As for self-signing with OpenSSL - it's not a viable option at all > unless you're doing it for an intranet or a site with a VERY VERY > small base of users (like 2-3 users).. cuz then you can tell the 2-3 > users to ignore the certificate warning. But that's STILL a security > risk to you and those 2-3 users. > > I've found this reseller to be reliable and cheap - they've been in > business for a long time and they're still there, and still cheap. > > http://www.spacereg.com/webcert.html > > the StarterSSL certificate is only $25/year with 96% browser > recognition go up to the QuickSSL to get 99% recognition at > $80/year... > > Rick > > > -- > Rick Root > New Brian Vander Ark Album, songs in the music player and cool behind > the scenes video at www.myspace.com/brianvanderark > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297334 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
>>Of course users may not desire the warning about an untrusted cert and this can be worse than no protection at all. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297314 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
You can, if you can live with getting cert warnings. For that matter, if your clients don't care about the warning, or are willing to import the self sign key into their local systems, a self signed certificate is just as secure (in terms of protecting data as it passes through the internet) as one you buy for $600. Russ > -Original Message- > From: Tom Chiverton [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:37 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > On Thursday 24 Jan 2008, James Holmes wrote: > > A dedicated IP is probably necessary with your host, since I assume > > you're sharing an IP right now. > > You can serve multiple different SSL'ed domains from the same IP, can't > you ? > Your existing hose may also have a cheaper deal too. > > -- > Tom Chiverton > Helping to completely fashion clicks-and-mortar developments > on: http://thefalken.livejournal.com > > > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England > and Wales under registered number OC307980 whose registered office address > is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 > 3EB. A list of members is available for inspection at the registered > office. Any reference to a partner in relation to Halliwells LLP means a > member of Halliwells LLP. Regulated by The Solicitors Regulation > Authority. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and > may be confidential or legally privileged. If you are not the addressee > you must not read it and must not use any information contained in nor > copy it nor inform any person other than Halliwells LLP or the addressee > of its existence or contents. If you have received this email in error > please delete it and notify Halliwells LLP IT Department on 0870 365 2500. > > For more information about Halliwells LLP visit www.halliwells.com. > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297325 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
I think the important thing here is to anything and everything the client wants as long as they're willing to pay for it, so I'm covered in the event of problems. > -Original Message- > From: Tom Chiverton [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 10:17 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > On Thursday 24 Jan 2008, J.J. Merrick wrote: > > And on the topic I would say that it probably is overkill but a lot of > > times peoples perception of security makes them happy. > > But most web browser uses can't tell the difference between TLS and non-TLS, > so sometimes you have to ask yourself if it's worth it at all. > Given users hand over their passwords to a stranger for a chocolate bar.. > > -- > Tom Chiverton, it's not been called SSL for a few years now... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297321 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
Very true... thanks, Michael. Rick > -Original Message- > From: Dawson, Michael [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:58 AM > To: CF-Talk > Subject: RE: SSL Necessary? Important? > > I don't think SSL is always necessary. It depends on the content. > > However, it is pretty common that many people use the same username and > password for many different systems. > > For example, I may log in to my bank's web site using "michael" and > "password". The bank's web site is secure so I no worry. > > Then, I sign up for your church's web site and use the same username and > password combination. Now, if someone sniffs that unsecured connection, > they now have my bank username and password. > > So, although it's not necessary, in all cases, you are helping to > protect information, indirectly. > > Certificates are pretty inexpensive considering the cost of the loss of > trust from users. > > M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297326 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
>>But the church is also asking about an encrypted connection using an SSL certificate. What a meanness! Don't they have some sort of divine protection already? ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297332 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
Yeah, I agree with that JJ... > -Original Message- > From: J.J. Merrick [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:24 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > And on the topic I would say that it probably is overkill but a lot of > times peoples perception of security makes them happy. I think it is a > far more worst security risk that someone just downloads the thing and > sells it then for someone to sniff the packets to get a couple of > addresses and phone numbers. > > It's like here in nashville there was a breakin at the election > commission and laptops were stolen with all the voter roles on them... > which meant SS numbers etc. People freaked out and the city ended up > having to pay for credit monitoring services and send out 2 mailed > letters to everyone registered to vote in Davidson County. Probably > not cheap at all. > > Come to find out the laptops were stolen by a homeless guy along with > a space heater and a radio. They recovered the laptops only to > discover they weren't even turned on! > > In the end give the client what they want and if they are willing to > pay a little bit more for a sense of security have at it. > > J.J. > > On 1/24/08, J.J. Merrick <[EMAIL PROTECTED]> wrote: > > yeah, it really isn't bad. Depending on the host they might have a > > shared SSL cert you can use. Essentially they just map your site as a > > folder underneath a larger site. > > > > In the end it is like $20 for a low-end cert that will get you the > > encryption you want/need and a couple of bucks for a static IP a > > month from their webhost. > > > > J.J. > > > > On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > > What's the total cost, typically? > > > > > > Cost of the SSL Cert, plus a dedicated IP (required, correct?), > > > plus whatever other charges an ISP may charge? > > > > > > Rick > > > > > > > -Original Message- > > > > From: James Holmes [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, January 24, 2008 1:02 AM > > > > To: CF-Talk > > > > Subject: Re: OT: SSL Necessary? Important? > > > > > > > > On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > > > > > >>Is the SSL encryption overkill for something like this? > > > > > > > > > > IMHO yes. > > > > > Unless they are willing to pay for more protection, because it is not > > > > > free. > > > > > > > > Unless they use OpenSSL and self-sign, which is free. Of course users > > > > may not desire the warning about an untrusted cert, so it's not > > > > perfect. > > > > > > > > -- > > > > mxAjax / CFAjax docs and other useful articles: > > > > http://www.bifrost.com.au/blog/ > > > > > > > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297310 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On Jan 24, 2008 9:57 AM, Dawson, Michael <[EMAIL PROTECTED]> wrote: > For example, I may log in to my bank's web site using "michael" and > "password". The bank's web site is secure so I no worry. > > Then, I sign up for your church's web site and use the same username and > password combination. Now, if someone sniffs that unsecured connection, > they now have my bank username and password. > > While I agree that account identifying information should be encrypted in the database, I don't agree that the church is responsible for the end user's stupidity of using the same username/password for every website out there. SSL for a church forum/cms login is overkill unless said church is accepting donations on the website. If they are, then they should be just as secured as any other merchant online. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297329 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
On 1/24/08, Tom Chiverton <[EMAIL PROTECTED]> wrote: > On Thursday 24 Jan 2008, James Holmes wrote: > > A dedicated IP is probably necessary with your host, since I assume > > you're sharing an IP right now. > > You can serve multiple different SSL'ed domains from the same IP, can't you ? > Your existing hose may also have a cheaper deal too. typically no, because "virtual hosting" relies on host headers. The web server doesn't receive the headers until after the connection is established. As for self-signing with OpenSSL - it's not a viable option at all unless you're doing it for an intranet or a site with a VERY VERY small base of users (like 2-3 users).. cuz then you can tell the 2-3 users to ignore the certificate warning. But that's STILL a security risk to you and those 2-3 users. I've found this reseller to be reliable and cheap - they've been in business for a long time and they're still there, and still cheap. http://www.spacereg.com/webcert.html the StarterSSL certificate is only $25/year with 96% browser recognition go up to the QuickSSL to get 99% recognition at $80/year... Rick -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297327 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT: SSL Necessary? Important?
I'm actually their host... I don't normally host sites that I don't develop, but for this one I did. I'm now on a VPS, so I have complete control over the system. And I have 5 IP's to use without extra cost. I need one for another client's SSL, but I can user another for the church's SSL. I'll check with the company that actually hosts my VPS and see if there are any additional charges. I think only one SSL comes with the VPS package. I'll have to verify that, however. Thanks for the feedback. Rick > -Original Message- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:04 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > For example, digicert certs are $99: > > http://www.digicert.com/ > > A dedicated IP is probably necessary with your host, since I assume > you're sharing an IP right now. > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297313 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
>>Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. Ok, but it is not the church responsibility to protect you bank username and password. It's your problem. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297316 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
I don't think SSL is always necessary. It depends on the content. However, it is pretty common that many people use the same username and password for many different systems. For example, I may log in to my bank's web site using "michael" and "password". The bank's web site is secure so I no worry. Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. So, although it's not necessary, in all cases, you are helping to protect information, indirectly. Certificates are pretty inexpensive considering the cost of the loss of trust from users. M!ke -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 7:45 PM To: CF-Talk Subject: OT: SSL Necessary? Important? Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297297 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
Why would anybody spend more then $20 a year on an SSL cert? Godaddy's certs are perfectly adequate. Russ > -Original Message- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:04 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > For example, digicert certs are $99: > > http://www.digicert.com/ > > A dedicated IP is probably necessary with your host, since I assume > you're sharing an IP right now. > > On Jan 24, 2008 10:04 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > What's the total cost, typically? > > > > Cost of the SSL Cert, plus a dedicated IP (required, correct?), > > plus whatever other charges an ISP may charge? > > > > Rick > > > > > > > -Original Message- > > > From: James Holmes [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, January 24, 2008 1:02 AM > > > To: CF-Talk > > > Subject: Re: OT: SSL Necessary? Important? > > > > > > On Jan 24, 2008 11:38 AM, Claude Schneegans > <[EMAIL PROTECTED]> wrote: > > > > >>Is the SSL encryption overkill for something like this? > > > > > > > > IMHO yes. > > > > Unless they are willing to pay for more protection, because it is > not free. > > > > > > Unless they use OpenSSL and self-sign, which is free. Of course users > > > may not desire the warning about an untrusted cert, so it's not > > > perfect. > > > > > > -- > > > mxAjax / CFAjax docs and other useful articles: > > > http://www.bifrost.com.au/blog/ > > > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297322 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
I've never implemented and SSL cert, so I'm not sure, but I thought each SSL had to have a dedicated IP. ??? Rick > -Original Message- > From: Tom Chiverton [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 9:37 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > On Thursday 24 Jan 2008, James Holmes wrote: > > A dedicated IP is probably necessary with your host, since I assume > > you're sharing an IP right now. > > You can serve multiple different SSL'ed domains from the same IP, can't you ? > Your existing hose may also have a cheaper deal too. > > -- > Tom Chiverton > Helping to completely fashion clicks-and-mortar developments > on: http://thefalken.livejournal.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297315 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
On Thursday 24 Jan 2008, J.J. Merrick wrote: > And on the topic I would say that it probably is overkill but a lot of > times peoples perception of security makes them happy. But most web browser uses can't tell the difference between TLS and non-TLS, so sometimes you have to ask yourself if it's worth it at all. Given users hand over their passwords to a stranger for a chocolate bar.. -- Tom Chiverton, it's not been called SSL for a few years now... This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297303 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
On Thursday 24 Jan 2008, James Holmes wrote: > A dedicated IP is probably necessary with your host, since I assume > you're sharing an IP right now. You can serve multiple different SSL'ed domains from the same IP, can't you ? Your existing hose may also have a cheaper deal too. -- Tom Chiverton Helping to completely fashion clicks-and-mortar developments on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297295 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
yeah, it really isn't bad. Depending on the host they might have a shared SSL cert you can use. Essentially they just map your site as a folder underneath a larger site. In the end it is like $20 for a low-end cert that will get you the encryption you want/need and a couple of bucks for a static IP a month from their webhost. J.J. On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote: > What's the total cost, typically? > > Cost of the SSL Cert, plus a dedicated IP (required, correct?), > plus whatever other charges an ISP may charge? > > Rick > > > -Original Message- > > From: James Holmes [mailto:[EMAIL PROTECTED] > > Sent: Thursday, January 24, 2008 1:02 AM > > To: CF-Talk > > Subject: Re: OT: SSL Necessary? Important? > > > > On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > > > >>Is the SSL encryption overkill for something like this? > > > > > > IMHO yes. > > > Unless they are willing to pay for more protection, because it is not > > > free. > > > > Unless they use OpenSSL and self-sign, which is free. Of course users > > may not desire the warning about an untrusted cert, so it's not > > perfect. > > > > -- > > mxAjax / CFAjax docs and other useful articles: > > http://www.bifrost.com.au/blog/ > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297289 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
And on the topic I would say that it probably is overkill but a lot of times peoples perception of security makes them happy. I think it is a far more worst security risk that someone just downloads the thing and sells it then for someone to sniff the packets to get a couple of addresses and phone numbers. It's like here in nashville there was a breakin at the election commission and laptops were stolen with all the voter roles on them... which meant SS numbers etc. People freaked out and the city ended up having to pay for credit monitoring services and send out 2 mailed letters to everyone registered to vote in Davidson County. Probably not cheap at all. Come to find out the laptops were stolen by a homeless guy along with a space heater and a radio. They recovered the laptops only to discover they weren't even turned on! In the end give the client what they want and if they are willing to pay a little bit more for a sense of security have at it. J.J. On 1/24/08, J.J. Merrick <[EMAIL PROTECTED]> wrote: > yeah, it really isn't bad. Depending on the host they might have a > shared SSL cert you can use. Essentially they just map your site as a > folder underneath a larger site. > > In the end it is like $20 for a low-end cert that will get you the > encryption you want/need and a couple of bucks for a static IP a > month from their webhost. > > J.J. > > On 1/24/08, Rick Faircloth <[EMAIL PROTECTED]> wrote: > > What's the total cost, typically? > > > > Cost of the SSL Cert, plus a dedicated IP (required, correct?), > > plus whatever other charges an ISP may charge? > > > > Rick > > > > > -Original Message- > > > From: James Holmes [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, January 24, 2008 1:02 AM > > > To: CF-Talk > > > Subject: Re: OT: SSL Necessary? Important? > > > > > > On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > > > > >>Is the SSL encryption overkill for something like this? > > > > > > > > IMHO yes. > > > > Unless they are willing to pay for more protection, because it is not > > > > free. > > > > > > Unless they use OpenSSL and self-sign, which is free. Of course users > > > may not desire the warning about an untrusted cert, so it's not > > > perfect. > > > > > > -- > > > mxAjax / CFAjax docs and other useful articles: > > > http://www.bifrost.com.au/blog/ > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297292 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
For example, digicert certs are $99: http://www.digicert.com/ A dedicated IP is probably necessary with your host, since I assume you're sharing an IP right now. On Jan 24, 2008 10:04 PM, Rick Faircloth <[EMAIL PROTECTED]> wrote: > What's the total cost, typically? > > Cost of the SSL Cert, plus a dedicated IP (required, correct?), > plus whatever other charges an ISP may charge? > > Rick > > > > -Original Message- > > From: James Holmes [mailto:[EMAIL PROTECTED] > > Sent: Thursday, January 24, 2008 1:02 AM > > To: CF-Talk > > Subject: Re: OT: SSL Necessary? Important? > > > > On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > > > >>Is the SSL encryption overkill for something like this? > > > > > > IMHO yes. > > > Unless they are willing to pay for more protection, because it is not > > > free. > > > > Unless they use OpenSSL and self-sign, which is free. Of course users > > may not desire the warning about an untrusted cert, so it's not > > perfect. > > > > -- > > mxAjax / CFAjax docs and other useful articles: > > http://www.bifrost.com.au/blog/ > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297288 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT: SSL Necessary? Important?
What's the total cost, typically? Cost of the SSL Cert, plus a dedicated IP (required, correct?), plus whatever other charges an ISP may charge? Rick > -Original Message- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 24, 2008 1:02 AM > To: CF-Talk > Subject: Re: OT: SSL Necessary? Important? > > On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > > >>Is the SSL encryption overkill for something like this? > > > > IMHO yes. > > Unless they are willing to pay for more protection, because it is not free. > > Unless they use OpenSSL and self-sign, which is free. Of course users > may not desire the warning about an untrusted cert, so it's not > perfect. > > -- > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297284 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT: SSL Necessary? Important?
On Jan 24, 2008 11:38 AM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > >>Is the SSL encryption overkill for something like this? > > IMHO yes. > Unless they are willing to pay for more protection, because it is not free. Unless they use OpenSSL and self-sign, which is free. Of course users may not desire the warning about an untrusted cert, so it's not perfect. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297268 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT: SSL Necessary? Important?
>>Is the SSL encryption overkill for something like this? IMHO yes. Unless they are willing to pay for more protection, because it is not free. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297252 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Rick, Don't believe anything dave says. He's just disrupting again. Anyway, do *I* look like I would make fun of you? :) Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297254 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
> sla 256 hashing I know I'm generally behind the times, so I thought maybe that was some new encryption technology. ;o) > Will is trying to make fun of u (yes again) I feel honored to garner such attention from Will... however, I didn't see a message from him. Maybe it'll come in soon. Wouldn't want to miss it, you know! > -Original Message- > From: Dave l [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 23, 2008 8:54 PM > To: CF-Talk > Subject: Re: SSL Necessary? Important? > > umm sha i meant > > > Will is trying to make fun of u (yes again) but the way I look at it > > at least you have more than 1 client, he can't say that :) > > > > You can use ssl on there with no big deal. > > If you aren't encrypting your passwords then sure it could be a big > > deal if someone gets ahold of their username and password and it > > happens to also unlock.. say their bank account which the people find. > > > > > > generally a good sla 256 hashing is good but if they ask you for ssl > > then give then ssl to cover your arse. > > > > > > > > >Hi, all. > > > > > >Pardon a quick OT question (or two). I have a client (church) that > > wants > > >to have a directory that is accessible to the membership, but not > > the > > >general public. Access will be controlled by password/username login. > > > > > > > >But the church is also asking about an encrypted connection using an > > SSL > > >certificate. > > > > > >Is the SSL encryption overkill for something like this? Or would it > > be > > >advisable? How big a security risk is there for personal info like > > this? > > >Is it easy to hack without SSL? > > > > > >Thanks for any feedback. > > > > > >Rick > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297260 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
lol, so prove me wrong!!! captain lady killer ;)~ >Rick, > >Don't believe anything dave says. He's just disrupting again. > >Anyway, do *I* look like I would make fun of you? :) > >Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297255 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Will is trying to make fun of u (yes again) but the way I look at it at least you have more than 1 client, he can't say that :) You can use ssl on there with no big deal. If you aren't encrypting your passwords then sure it could be a big deal if someone gets ahold of their username and password and it happens to also unlock.. say their bank account which the people find. generally a good sla 256 hashing is good but if they ask you for ssl then give then ssl to cover your arse. >Hi, all. > >Pardon a quick OT question (or two). I have a client (church) that wants >to have a directory that is accessible to the membership, but not the >general public. Access will be controlled by password/username login. > >But the church is also asking about an encrypted connection using an SSL >certificate. > >Is the SSL encryption overkill for something like this? Or would it be >advisable? How big a security risk is there for personal info like this? >Is it easy to hack without SSL? > >Thanks for any feedback. > >Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297245 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
OT: SSL Necessary? Important?
Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297241 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
umm sha i meant > Will is trying to make fun of u (yes again) but the way I look at it > at least you have more than 1 client, he can't say that :) > > You can use ssl on there with no big deal. > If you aren't encrypting your passwords then sure it could be a big > deal if someone gets ahold of their username and password and it > happens to also unlock.. say their bank account which the people find. > > > generally a good sla 256 hashing is good but if they ask you for ssl > then give then ssl to cover your arse. > > > > >Hi, all. > > > >Pardon a quick OT question (or two). I have a client (church) that > wants > >to have a directory that is accessible to the membership, but not > the > >general public. Access will be controlled by password/username login. > > > > >But the church is also asking about an encrypted connection using an > SSL > >certificate. > > > >Is the SSL encryption overkill for something like this? Or would it > be > >advisable? How big a security risk is there for personal info like > this? > >Is it easy to hack without SSL? > > > >Thanks for any feedback. > > > >Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297246 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
