On Thursday 24 Jan 2008, Rick Faircloth wrote:
I think the important thing here is to anything and everything
the client wants as long as they're willing to pay for it,
Hell yes :-)
--
Tom Chiverton
Helping to dynamically strategize plug-and-play e-business
on:
I'm not sure how Zillow.com's terms supports your My strong password or
else argument (which is what I thought this was) as all you did was show me
their terms of use.
Now try to find one one here -
http://www.sharebuilder.com/sharebuilder/Security/Default.aspx
I can choose any password I want
Anyway, the problem with strong passwords is they're not
easily, if at all, memorable.
That doesn't have to be true:
http://en.wikipedia.org/wiki/Passphrase
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction
and hoping we're
not the one facing a round in the chamber.
Rick
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 1:36 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR
ANY
-Original Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 12:52 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
I'm not sure how Zillow.com's terms supports your My strong password or
else argument (which is what I thought this was) as all you did
A quote From O Brother, Where Art Thou?
This stew's awful good.
Wash responds, You think so? I slaughtered this horse last Tuesday. I'm
afraid she's startin' to turn.
Just sayin'... ;)
On Jan 25, 2008 5:33 PM, James Holmes [EMAIL PROTECTED] wrote:
Yes, wildcard certs work fine under Apache
Oh, come on James! What's a little cannibalism between friends! :o)
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 6:44 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
Depending on local laws, there are some things to which
is just playing a game of Russian Roulette and hoping we're
not the one facing a round in the chamber.
Rick
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 1:36 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important
IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR
ANY DAMAGES
I'm sorry, but just from the very begining, this statement has
absolutely no value.
I hope you didn't pay a lawyer to write it.
Nobody can state, in advance on not that he is not liable or responsible.
ONLY a judge in court
I can assure you that I'm not your wife and there are some areas where I'm
very cut to the chase and other areas where I have learned to be more
flexible I guess. :)
On Jan 25, 2008 11:40 AM, Rick Faircloth wrote:
You sound like my wife who's always telling me to be more civil and stop
that my
To: CF-Talk
Subject: Re: SSL Necessary? Important?
Rick,
I get it. I do. What I'm suggesting is instead of cramming down a password
down the throat to use clearly written english description of what a STRONG
password would be and to use validation to determine what's a strong / weak
Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 11:04 AM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
Rick,
I get it. I do. What I'm suggesting is instead of cramming down a password
down the throat to use clearly written english description of what
-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 7:09 PM
To: CF-Talk
Subject: RE: OT: SSL Necessary? Important?
typically no, because virtual hosting relies on host
headers. The web server doesn't receive the headers until
after the connection is established
Rick,
I get it. I do. What I'm suggesting is instead of cramming down a password
down the throat to use clearly written english description of what a STRONG
password would be and to use validation to determine what's a strong / weak
passwords. There's plenty of javascript / serverside
Would you consider gmail to be pretty important if you used it daily like I
do? Let's take a look at what Google says in their EULA:
=
6. Your passwords and account security
6.1 You agree and understand that you are responsible for maintaining
Rick, is it really not possible to compromise? It's one thing to enforce
and shove a password down my throat... it's something else to educate the
end-user on what a strong password is.
On Jan 25, 2008 8:46 AM, Rick Faircloth [EMAIL PROTECTED] wrote:
No problem... if you won't let me choose
-
From: Rick Root [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 8:20 AM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
On 1/24/08, Rick Faircloth [EMAIL PROTECTED] wrote:
One solution that I have used is to allow users to choose their username,
usually just their email address
Yes, wildcard certs work fine under Apache too.
On Jan 26, 2008 2:20 AM, Dave Watts [EMAIL PROTECTED] wrote:
I'd like to see some proof of this. Is this only with
wildcard certs (in which case it would only work for
*.domainname.com), or it is for any kind of cert (such that
you can have
On 1/24/08, Rick Faircloth [EMAIL PROTECTED] wrote:
One solution that I have used is to allow users to choose their username,
usually just their email address, but I force a very strong password
on them generated with CF.
Nothing annoys me more, personally, than a web site that won't let me
ruin. I'm not going down with you...
I think that's fair.
I'll be most EUA's have something like that buried in their legalize.
Thoughts?
Rick
-Original Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Friday, January 25, 2008 8:51 AM
To: CF-Talk
Subject: Re: SSL Necessary
, 2008 9:35 AM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
Would you consider gmail to be pretty important if you used it daily like I
do? Let's take a look at what Google says in their EULA:
=
6. Your passwords and account
I'd like to see some proof of this. Is this only with
wildcard certs (in which case it would only work for
*.domainname.com), or it is for any kind of cert (such that
you can have www.example.com and www.example2.com) on the
same IP with no SSL problems?
Wildcard certs only. I
Here's some of the Terms for use of Zillow.com... a Real
Estate listing website.
9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL
ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES ...
Now that pretty iron-clad legally, I think, that no matter
what you do, password or
: SSL Necessary? Important?
On Jan 24, 2008 11:38 AM, Claude Schneegans [EMAIL PROTECTED] wrote:
Is the SSL encryption overkill for something like this?
IMHO yes.
Unless they are willing to pay for more protection, because it is not free.
Unless they use OpenSSL and self-sign, which
a dedicated IP (required, correct?),
plus whatever other charges an ISP may charge?
Rick
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 1:02 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On Jan 24, 2008 11:38 AM
IP (required, correct?),
plus whatever other charges an ISP may charge?
Rick
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 1:02 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On Jan 24, 2008 11:38 AM
[mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 1:02 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On Jan 24, 2008 11:38 AM, Claude Schneegans [EMAIL PROTECTED] wrote:
Is the SSL encryption overkill for something like this?
IMHO yes.
Unless
On Thursday 24 Jan 2008, James Holmes wrote:
A dedicated IP is probably necessary with your host, since I assume
you're sharing an IP right now.
You can serve multiple different SSL'ed domains from the same IP, can't you ?
Your existing hose may also have a cheaper deal too.
--
Tom Chiverton
On Thursday 24 Jan 2008, J.J. Merrick wrote:
And on the topic I would say that it probably is overkill but a lot of
times peoples perception of security makes them happy.
But most web browser uses can't tell the difference between TLS and non-TLS,
so sometimes you have to ask yourself if it's
I've never implemented and SSL cert, so I'm not sure, but I thought
each SSL had to have a dedicated IP. ???
Rick
-Original Message-
From: Tom Chiverton [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 9:37 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important
Why would anybody spend more then $20 a year on an SSL cert? Godaddy's
certs are perfectly adequate.
Russ
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 9:04 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
For example
.
Certificates are pretty inexpensive considering the cost of the loss of
trust from users.
M!ke
-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 23, 2008 7:45 PM
To: CF-Talk
Subject: OT: SSL Necessary? Important?
Hi, all.
Pardon a quick OT question
Then, I sign up for your church's web site and use the same username and
password combination. Now, if someone sniffs that unsecured connection,
they now have my bank username and password.
Ok, but it is not the church responsibility to protect you bank username
and password.
It's your
: Thursday, January 24, 2008 9:04 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
For example, digicert certs are $99:
http://www.digicert.com/
A dedicated IP is probably necessary with your host, since I assume
you're sharing an IP right now
On 1/24/08, Tom Chiverton [EMAIL PROTECTED] wrote:
On Thursday 24 Jan 2008, James Holmes wrote:
A dedicated IP is probably necessary with your host, since I assume
you're sharing an IP right now.
You can serve multiple different SSL'ed domains from the same IP, can't you ?
Your existing
On Jan 24, 2008 9:57 AM, Dawson, Michael [EMAIL PROTECTED] wrote:
For example, I may log in to my bank's web site using michael and
password. The bank's web site is secure so I no worry.
Then, I sign up for your church's web site and use the same username and
password combination. Now, if
Yeah, I agree with that JJ...
-Original Message-
From: J.J. Merrick [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 9:24 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
And on the topic I would say that it probably is overkill but a lot of
times peoples
But the church is also asking about an encrypted connection using an SSL
certificate.
What a meanness! Don't they have some sort of divine protection already? ;-)
--
___
REUSE CODE! Use custom tags;
See
Very true... thanks, Michael.
Rick
-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 9:58 AM
To: CF-Talk
Subject: RE: SSL Necessary? Important?
I don't think SSL is always necessary. It depends on the content.
However
Subject: Re: OT: SSL Necessary? Important?
On Thursday 24 Jan 2008, J.J. Merrick wrote:
And on the topic I would say that it probably is overkill but a lot of
times peoples perception of security makes them happy.
But most web browser uses can't tell the difference between TLS and non-TLS
) as
one you buy for $600.
Russ
-Original Message-
From: Tom Chiverton [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 9:37 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On Thursday 24 Jan 2008, James Holmes wrote:
A dedicated IP is probably necessary with your
Of course users may not desire the warning about an untrusted cert
and this can be worse than no protection at all.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address:
@houseoffusion.com
Sent: Thursday, January 24, 2008 10:16 AM
Subject: Re: OT: SSL Necessary? Important?
On 1/24/08, Tom Chiverton [EMAIL PROTECTED] wrote:
On Thursday 24 Jan 2008, James Holmes wrote:
A dedicated IP is probably necessary with your host, since I assume
you're sharing an IP right now
PROTECTED]
Sent: Thursday, January 24, 2008 9:10 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
yeah, it really isn't bad. Depending on the host they might have a
shared SSL cert you can use. Essentially they just map your site as a
folder underneath a larger site.
In the end it is like
While I agree that account identifying information should be encrypted
in the database, I don't agree that the church is responsible for the
end user's stupidity of using the same username/password for every
website out there.
I agree, but tell this to all of the non-techies out there. We run
o_O
Mike, if your bank account gets hacked dude because YOU used the same
username/password for every site the only person to blame here is YOU. I'm
sorry, but this thinking is just way backwards. Should the church also be
responsible if someone stole your ATM card and the PIN number just
24, 2008 11:17 AM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On 1/24/08, Tom Chiverton [EMAIL PROTECTED] wrote:
On Thursday 24 Jan 2008, James Holmes wrote:
A dedicated IP is probably necessary with your host, since I assume
you're sharing an IP right now.
You can serve multiple
On 1/24/08, Todd [EMAIL PROTECTED] wrote:
While I agree that account identifying information should be encrypted in
the database, I don't agree that the church is responsible for the end
user's stupidity of using the same username/password for every website out
there.
I would agree, I use
Subject: Re: SSL Necessary? Important?
Then, I sign up for your church's web site and use the same username
and password combination. Now, if someone sniffs that unsecured
connection, they now have my bank username and password.
Ok, but it is not the church responsibility to protect you bank
even if the other guy gots not smarts.
M!ke
-Original Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 1:58 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
o_O
Mike, if your bank account gets hacked dude because YOU used the same
username/password
Possibly... but the Scripture also teaches Christians to be
wise as serpents... :o)
Rick
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 12:45 PM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
But the church is also
Yeah, I will agree with that. I'm two minds of this apparently. It's one
thing if a simple forum has my username/password stolen, quite something
different if my SSN was stolen.
My co-worker gave the argument that if a username/password can be traced
back to you and additional information can
it, but it's for their protection and mine. And if they forget that
password, the system simply issues another equally strong one.
Rick
-Original Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 2:58 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important
In a world of paranoia, SSL is *NEVER* overkill for protecting logins
of any kind.
provided you assume paranoia...
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address:
On 1/24/08, Russ [EMAIL PROTECTED] wrote:
Why would anybody spend more then $20 a year on an SSL cert? Godaddy's
certs are perfectly adequate.
That depends if it's an introductory rate or not. I wouldn't buy a
$20 cert if I had to pay $90 to renew it, rather I'd just buy the $25
certs that I
On 1/24/08, Dawson, Michael [EMAIL PROTECTED] wrote:
It doesn't matter whose responsibility it is. If a bank account gets
hacked because of the church's web site, it will hurt the credibility of
the church.
Yeah but God will protect them from that.
Damn, now I'm going to hell.
--
Rick Root
Godaddy certs are $20 all the time... I think they're on sale for $15 now or
something...
Russ
-Original Message-
From: Rick Root [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 5:29 PM
To: CF-Talk
Subject: Re: OT: SSL Necessary? Important?
On 1/24/08, Russ [EMAIL
Why would anybody spend more then $20 a year on an SSL cert?
Godaddy's certs are perfectly adequate.
unless you have a large enough number of users visiting your site, in
which case some of them with older computers won't recognize the certificate
as valid because they don't have the
You can always generate a bogus certificate for free (Like
the default Snake Oil cert that is created by Apache).
You will get the same level of encryption as a digitally signed cert
(i.e: one that costs money) but the browser will complain
about it not being signed or something of that
typically no, because virtual hosting relies on host
headers. The web server doesn't receive the headers until
after the connection is established.
This appears to no longer be the case with IIS 6, at least. To be honest,
I'm not exactly sure how this works with IIS 6, but it appears that
I've never implemented and SSL cert, so I'm not sure, but I
thought each SSL had to have a dedicated IP. ???
This used to be the case, but isn't any more:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5
96b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
However,
I tell clients with public web sites that they probably
need a cert from a popular reputable provider in order to
avoid the browser warning. But the thing to remember is that
(in most cases) the warning is saying that your company may
not be ok ... Not that the information is unencrypted
Is the SSL encryption overkill for something like this? Or
would it be advisable? How big a security risk is there for
personal info like this?
The security risk is probably acceptable for your client, even if they don't
know that. However, it's so cheap to use SSL that you might as well
I'm not in a shared environment. I have my own VPS.
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 7:47 PM
To: CF-Talk
Subject: RE: OT: SSL Necessary? Important?
I've never implemented and SSL cert, so I'm not sure, but I
thought
umm sha i meant
Will is trying to make fun of u (yes again) but the way I look at it
at least you have more than 1 client, he can't say that :)
You can use ssl on there with no big deal.
If you aren't encrypting your passwords then sure it could be a big
deal if someone gets ahold of
Hi, all.
Pardon a quick OT question (or two). I have a client (church) that wants
to have a directory that is accessible to the membership, but not the
general public. Access will be controlled by password/username login.
But the church is also asking about an encrypted connection using an SSL
Will is trying to make fun of u (yes again) but the way I look at it at least
you have more than 1 client, he can't say that :)
You can use ssl on there with no big deal.
If you aren't encrypting your passwords then sure it could be a big deal if
someone gets ahold of their username and
lol, so prove me wrong!!!
captain lady killer ;)~
Rick,
Don't believe anything dave says. He's just disrupting again.
Anyway, do *I* look like I would make fun of you? :)
Will
~|
Adobe® ColdFusion® 8 software 8 is the
.
Wouldn't want to miss it, you know!
-Original Message-
From: Dave l [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 23, 2008 8:54 PM
To: CF-Talk
Subject: Re: SSL Necessary? Important?
umm sha i meant
Will is trying to make fun of u (yes again) but the way I look at it
at least
Rick,
Don't believe anything dave says. He's just disrupting again.
Anyway, do *I* look like I would make fun of you? :)
Will
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the
Is the SSL encryption overkill for something like this?
IMHO yes.
Unless they are willing to pay for more protection, because it is not free.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any
On Jan 24, 2008 11:38 AM, Claude Schneegans [EMAIL PROTECTED] wrote:
Is the SSL encryption overkill for something like this?
IMHO yes.
Unless they are willing to pay for more protection, because it is not free.
Unless they use OpenSSL and self-sign, which is free. Of course users
may not
72 matches
Mail list logo
