Secure your website .

[mini_0]

Hackers May want to hack your websites when they see that it is commercial . Even if you have a small website , never underestimate the hackers . They can get a small loop hole and for small businesses it is quite harmful to lose the hard earned money .
you need to make sure that your web site is secure, so that people’s credit card information can not be stolen. To do this you need to setup your web site on SSL or Secure Sockets Layer. Your ISP can set this up for you, and then you can get an SSL certificate to let the world know that your site is secure.

[hope_07]

Hi, Mini aside from anti spam ware, anti virus methods and solutions, there are also a lot of companies software related in nature that examines the threat given by these obstacles on the net, in particular Symantec has dveloped new programs.

[Thesa]

E-commerce is an online business wherein vendors and clients deal together virtually without meeting. The clients/visitors are required to make online transactions (generally via credit cards), thus security is important.

In order to gain their trust and confidence, E-commerce websites needs to be secured, via SSL certificates.


SSL Definition (Web server certificates/ Secure Server Certificates/SSL Certificates)

A protocol developed by Netscape, introduced in 1994.

SSL has been the de facto standard for e-commerce transaction security, Web standard for encrypting communications between users and SSL enabled sites.

They require to initialize an SSL session, used on:

• Web Servers for Internet security

• Mail Servers (IMAP, POP3, SMTP) for mail transaction security.


Features of SSL

- Based on encryption, encrypts data (credit cards numbers) and sends it to the receiving Web site.

- Proves security and integrity and ownership of the website, uses 128-bit (present standard) or 40-bit encryption (256 bit coming)

- Prevents eavesdropping, hacking of information, thus businesses and consumers are assured of security of private data sent to a Web site

- SSL secured sites URL - https://www.site.ext
Non secure sites URL - http://www.site.ext

- On SSL connection, a little gold padlock icon is seen at bottom of web-page, which contains information about certificate holder such as domain to which the certificate was issued to, name of Certificate Authority (CA) who issued the certificate, the root and country it was issued in. (As well described by Manny, in the http://forum.affiliatebot.com/showthread.php?t=1250)

- Another protocol for secure transmission of data: Secure HTTP (S-HTTP) - transmits individual messages securely. Thus, both complement each other.

[Thesa]

Need for SSL

- The clients/visitors feel secure in dealing with secure sites. Ninety-three percent of online shoppers surveyed by VeriSign (a CA issuer) reported that they felt it important for an e-commerce site to include a trust mark of some kind on their site.

- If the personal data is hacked and misused in any manner, the victims can resort to legal process which can mean loss of face, trust and confidence in business.

- A research suggests that having a recognizable SSL certificate may, in fact, have a direct correlation to increased e-commerce sales. Customers are more comfortable shopping on those sites and have fewer abandoned shopping carts and better repeat purchases.

Caution:

SSL does not protect server or software installed from attacks/malicious hacks, which can be protected by firewalls, virus checkers, Apache and IIS user and password protection for directories and files.


Ways to obtain a SSL Certificate

(A) Can buy one from a certificate vendor (encryption type of 40-bit, 128-bit and 256-bit are offered, please check out with the sites for latest updates):

- Verisign (www.verisign.com)

- Comodo (aka: InstantSSL) (SSL Certificate Free SSL Secure Server SSL Certificate Comodo SSL™ , www.comodogroup.com)

- Thawte (www.thawte.com): Web Server Certificates and 128-bit SuperCert

- GoDaddy SSL (www.godaddyssl.com): Turbo, High-Assurance, Wildcard

- GeoTrust (GeoTrust: SSL Certificates From a Leading Certificate Authority or RapidSSL: Free SSL Certificates, Wildcard SSL, QuickSSL )

- Baltimore (Baltimore.com: Your on-line destination for information on Baltimore hotels, restaurants, tickets, and businesses.)

- Entrust (PKI, (Public Key Infrastructure), Outsourced and Managed PKI Software Services by Entrust. Entrust Provides Multi-Factor Authentication and Strong Two Factor Authentication for Online Transactions. Entrust's Internet Transaction Monitoring Platform p)

- ipsCA (SSL Certificates SSL Wildcard SSL Free Certificates SSL Server Certificate 256 bits)


(B) Can sign certificate oneself via both open source and proprietary tools; might save time and expenses of going to certificate vendor. Though, not recommended, as similar to issuing oneself a license that has not been verified/recognized by some central authority, Also, data might be encrypted, a warning shall indicate that certificate is not recognised.


(C) If own a server, require to generate a CSR (Certificate Signing request) – a block of encoded data generated by web server and contains necessary details about domain and organization. If on a shared hosting, requires the host to raise a CSR

[Thesa]

Checklist for choosing: SSL Certificate Vendor/Certificate Authority (CA)

1) Reputation, credibility of CA (their business and clients), whether the root is available in all popular browsers

2) The ownership of root (whether owned by CA and not chained to someone else's root)

Either own/have Trusted Root in most browsers which are expensive and recognized.
In IE, these CAs seen here -- Tools-> Internet Options, select Content tab, click Certificates, select Trusted Root Certification Authorities tab. A dialog box presenting a list of these CAs (can examine them on double clicking)

If not have above, should have a Chaining Certificate that links whatever they sell to clients with a trusted root (128 bit and as secure as above, but lesser known)

3) The management of certificate (whether easy to install and acquire, renew, revoke etc.), who shall do the examination (CA itself or do they delegate to their resellers?)


Requirements for running SSL on a server

- Require a web server that is capable of running SSL.

- To be able to access the SSL configuration functions of the web server.

- Require a Certificate Signing Request (CSR).

Installation:

Refer to the hosting company and CA providing the Certificate.


Setting up of SSL Certificates

- Certificate encrypts data precisely- www.yourdomain.com is different from yourdomain.com. Thus, to ensure that CSR is raised with correct and full name of domain to be encrypted.

- Send CSR to certificate issuer who shall examine and inform administrator of domain who shall then acknowledge the mail from the issuer and okay the SSL.

- Now, issuer will raise a SSL cert and send it to administrator. If using a chaining issuer they shall send a chain certificate also.

- The above is now sent to the host who will install as follows:

SSL cert, installed in a directory on server along with chaining certificate if applicable. The key generated in step 2 above is also installed.

Next, configure files of Server (Apache) to include statements that shall inform server that site has SSL encryption certification.

[Thesa]

Quote:

Originally Posted by Thesa

- Another protocol for secure transmission of data: Secure HTTP (S-HTTP) - transmits individual messages securely. Thus, both complement each other.

SHTTP (Secure Hypertext Transfer Protocol), developed by Enterprise Integration Technologies in 1995 to ensure security with commercial transactions on Internet.

A protocol that provides secure transactions over Web and is endorsed by a variety of organizations.

An extension to HTTP protocol to support sending data securely over World Wide Web. Not all Web browsers and servers support S-HTTP. Each S-HTTP file is either encrypted, contains a digital certificate, or both.

For a given document, S-HTTP is an alternative to above mentioned security protocol, Secure Sockets Layer (SSL). Has been submitted to the Internet Engineering Task Force (IETF) for consideration as a standard.

It is not HTTPS ->HTTP over SSL.


Comparisions of SSL and S-HTTP

Major difference

S-HTTP allows client to send a certificate to authenticate user
In SSL, only server can be authenticated.

S-HTTP is likely to be used in situations where server represents a bank and requires authentication from user that is more secure than a userid and password. It does not use any single encryption system, but supports the Rivest-Shamir-Adleman encryption system.

SSL works at a program layer slightly higher than the Transmission Control Protocol (TCP) level.
S-HTTP works at the even higher level of the HTTP application.

Both security protocols can be used by a browser user, but only one can be used with a given document. A number of popular Web servers support both S-HTTP and SSL. Newer browsers support both SSL and S-HTTP.