Some questions regarding SSL and client to server data transfer
I have a few general questions regarding the security of data transfered from the client to the server of a web site.
What ive read:
Ive been reading about SSL, session ID's and Encription. Was reading how anyone running a sniffer can sniff your network data and if the data is not ecripted it can be used. And how when linking to a site they can catch session IS in their reffer logs and use this to gather usernames and passwords and other important data.
My Situation:
My site does not have anything where credit cards, addresses or other more important data is being submited but I am makeing a discussion fourm where curently im working on the sign in part of it. So usernames and passwords would be submited via form POST data and once it gets to my server I encript it useing DES encription.
My questions are:
1) For my particular case where only site passwords and usernames are sensitive data, Can I get away without useing SSL?
2) Ive been reading about self signed SSL certificates, and openSSL and freeSSL. Are these SSL alternitives just as secure as SSL itself and do you recomend it?
3) If network data can be easily sniffed what would be the purpose of me encripting the data server side since it was already sent unencripted, other then some script kidde with local access to my files.?
4) Can you recomend other ways I can secure my data, and posibly sugest another SSL alternitive?
Re: Some questions regarding SSL and client to server data transfer
Quote:
Originally posted here by journy101
1) For my particular case where only site passwords and usernames are sensitive data, Can I get away without useing SSL?
Not really.
Quote:
2) Ive been reading about self signed SSL certificates, and openSSL and freeSSL. Are these SSL alternitives just as secure as SSL itself and do you recomend it?
SSL is only a specification for secure HTTP, a way to enable secure browsing on the internet. FreeSSL seems to be a provider of certificates, openSSL is a encryption programming library and signed SSL certificates are digitally signed certificates. All of these are using the SSL specification, they are not in any way related to a different specification. SSL is enabled in browsers and webservers, it's not something you have to care about. You only need a certificate for your webserver, you can get that from a certificate provider or genereate your own using a CA-server. Note that if you generate your own, the browser will pop up a warning message everytime it logs onto your sever. But the data will still be encrypted.
Quote:
3) If network data can be easily sniffed what would be the purpose of me encripting the data server side since it was already sent unencripted, other then some script kidde with local access to my files.?
If you enable SSL the browser will also encrypt the data. Nothing is sent unencrypted.
Quote:
4) Can you recomend other ways I can secure my data, and posibly sugest another SSL alternitive? [/B]
On the web SSL is the only way. You can't choose SSL, you can only choose browsers and servers. Apache and IIS use different implementations of SSL, so does IE and Opera. And you can choose certificate provider. Verisign is an alternative.