Two Simple Security Steps for your Web SiteWritten by Alan Grissett
This article offers several security issues that every Web site owner or developer should be aware of.It's important to be aware of these issues because for many organizations, a Web site is an integral part of their processes, and any downtime can result in costly maintenance work, lost business, or upset customers.
First and foremost, you should only grant access to those who need access. For example, if you will be only one uploading files to site, no one else should have FTP privileges. If there is only one person in your organization who needs access to financial data related to Web site, only that person should be able to access billing records for your account. This also applies to any of other features or services that are accessible by administrators of Web site.
Why SSL is not enough to secure your credit card detailsWritten by ArticSoft
SSL (secure sockets layer) is security technology everyone uses to ensure that their web connections are secure. An SSL connection is symbolized by a padlock icon in right-hand side of taskbar and a URL that starts with Ďhttpsí, Ďsí standing for a secure http connection. What trust, however, should users associate with SSL?
SSL uses a method known as public key authentication in order to provide confidential link between server and client computer. This can be a very strong and effective method. It allows you to establish a strong confidential link between a server and a client without either knowing about other beforehand. And thatís where problems really begin.
Public key authentication works where each end of a connection can independently check that other end is real. Itís same idea as getting a cheque from someone you donít know and calling their bank to see if itís OK. Thatís why it doesnít really work. If it was going to work, server would have to be able to find out if client key really belonged to them or not Ė and it canít. In our bank example, itís like having a cheque without bank name on it or customer name bank knows you by so that you canít even ask question. In fact if that happened you probably wouldnít accept cheque!
As a result, server canít tell if a hacker has diverted you via their own site and is playing a Ďman-in-the-middleí attack where hacker gets to see all data going both ways. Usually server uses an identification that has been approved by one of companies whose information is stored inside your browser. Thatís why at client end it all seems fine. There is just minor problem that you canít actually tell if identity is still valid because thereís no way in current system to do that. Not surprisingly, there is nothing happening that allows server to link information arriving at it with actual user of client PC. It is always assumed that information comes from there but you canít prove it.