homepage Welcome to WebmasterWorld Guest from 54.198.42.213
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Secure Sites
How can you tell if they are really secure?
ember




msg:3274027
 3:44 pm on Mar 7, 2007 (gmt 0)

For a site to be secure, doesn't it have to have a https:// at the start (not [)?...] And the code not be viewable with a right click on "view source?" And isn't there supposed to be a little lock icon somewhere in the broswer window? I have a friend who had a webmaster build a "secure" site for her but it doesn't look secure to me. I need to know if I am right before telling her to get her money back.

 

bunltd




msg:3274081
 4:12 pm on Mar 7, 2007 (gmt 0)

yes, it should be served with https:// You should see the lock icon in the status bar at the bottom of the browser. When you click the icon, it should show information on the SSL certificate being used for the secure connection.

The SSL certificate should be for her specific domain name, be installed on her host and it should not be self signed but issued by a CA (certificate authority). You should not get any security warnings on visiting the site.

If she is on shared hosting, without her own IP - chances are she is not secure - because SSL is basically one certificate per IP.

Right click will still show source - being secure doesn't affect that, it encrypts the information coming and going.

Hope that helps!

LisaB

mcavic




msg:3274136
 4:59 pm on Mar 7, 2007 (gmt 0)

Some sites that accept credit cards aren't secure until you click submit. The form will be http, but it will submit to an https.

That's probably good enough for accepting payments, but it's not the definition of a secure site.

ember




msg:3274189
 5:30 pm on Mar 7, 2007 (gmt 0)

Thank you. Her site is definitely secure, and the supposed webmaster owes her a refund.

r3nz0




msg:3277223
 2:39 am on Mar 10, 2007 (gmt 0)

When the page is in HTML and the form submit is to a HTTPS its totally not secure!

The certificate has to be validated / accepted before posting.

rocknbil




msg:3277802
 7:43 pm on Mar 10, 2007 (gmt 0)

Her site is definitely secure, and the supposed webmaster owes her a refund.

Is, or is NOT?

Before you go slamming this "webmaster" and demanding a refund, you may want to gather a little more understanding of what secure and non-secure means, and does.

There is not a single bit of difference between a page on a non-secure server and one on a secure server. Not one. So your initial claim that the developer "built a secure website" says you're ready to jump this person wthout any grounds for a complaint.

An example: pick out any page and go to it with and without the https:

https://example.com
http://example.com

Same page. One is "secure" and one is not. So, you're saying, what am I paying for on a secure server?

As said a secure server delivers encrypted pages to the browser, and if the browser understands and recognizes the certificate, using the encryption scheme defined in the certificate, takes any plain html page loaded in the browser and encrypts it before sending it back to the server. THIS is the effect of a secure server, and has nothing to do with the pages created on it. A secure server encrypts the data being sent to and from the browser so if the data is intercepted en route it is extremely difficult to decode into anything that can be abused.

But the page that exists on the server is just plain html.

Now, there ARE a few things the web developer should be responsible for. See my previous example between http and https. If a page is supposed to be on the secure server, a visitor should NOT be able to accidentally or intentionally enter the non-secure url. The web developer should put means in place to prevent this from happening, the most graceful being an invisible rewrite using mod_rewrite, a more simplistic method would be a simple redirect.

Secondly there are many things in any server side programming that should be addressed dealing with security, a developer is responsible for these issues.

But if you have a simple form submitted to a secure gateway, there's not one bit of difference between this form and a non-secure version. The difference is how it is requested.

Be sure you understand these issues, nowadays when I get inquiries like this, I am inclined to bill the customer the time it takes to explain it to them. If a client brought this question to me in the way you have phrased it, I would have to tell them this information comes from an uninformed source and I could fully explain it but the time would be billable.

Some sites that accept credit cards aren't secure until you click submit. The form will be http, but it will submit to an https.

As said this is not only false, it's insecure and dangerous. Any web developer that has a form on a "regular" server in which the user enters sensitive information, such as credit card info, should be banned from computer usage. :-) The form on which you ENTER info needs to be generated from a secure server. Otherwise it's submitted as plain text.

The exception would be a page that accepts **only** non-sensitive information, then passes a total and a few other tokens to a secure server. The PayPal payment forms on sites are a good example. But if you notice, when you submit from the site, the CC info is collected on PayPal, not on the originating server.

That would be insanely insecure.

mcavic




msg:3277833
 8:37 pm on Mar 10, 2007 (gmt 0)

this is not only false, it's insecure and dangerous.

I know it's very wrong, but it's true that I've seen one or two sites that do it.

The form on which you ENTER info needs to be generated from a secure server. Otherwise it's submitted as plain text.

If that's true, then it's a bug in the browser, right? If the form action is an https address, then the form contents should be submitted over an encrypted connection.

ember




msg:3278929
 3:27 am on Mar 12, 2007 (gmt 0)

That was a typo, saying the site is secure, and the message could no longer be edited. The site is not secure. And, jeese, I am just trying to protect my friend, not attack a webmaster. That is why I asked the question here first.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved