|
Home > Archive > IIS Server Security > September 2004 > SSL question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Michael 2004-09-02, 6:45 pm |
| have a small question with regards to SSL and IIS.
i've already installed a self signed ssl cert on my web server.
My question now is, i've a page with has a form. This page is unencrypted.
But in this page, it has a form and that form will post to a SSL page when
its submitted. Will the data thats entered in that form be encrypted???
2nd question is, no matter is self signed or a verisign cert, the encryption
technology (1024, etc) is still there right?? its just that with verisign,
its a recognized 3rd party and there wont be any prompting msg??
| |
| Miha Pihler 2004-09-02, 6:45 pm |
| Hi Michael,
From what I can read from your post, users will access unencrypted site and
enter their details in a forum. After they are done they click submit to
submit data. In this scenario data between client computer and your server
will travel in clear text (unencrypted). After it gets to the server it can
be posted in encrypted (SSL) form to another page if you configure it so...
Answer to your 2nd question is yes. My recommendation though would be to use
2048 Bits key size (you can select this when you are performing certificate
request).
Mike
"Michael" <michael@mikeymall.com> wrote in message
news:%23SedomBkEHA.636@TK2MSFTNGP12.phx.gbl...
> have a small question with regards to SSL and IIS.
>
> i've already installed a self signed ssl cert on my web server.
>
> My question now is, i've a page with has a form. This page is unencrypted.
> But in this page, it has a form and that form will post to a SSL page when
> its submitted. Will the data thats entered in that form be encrypted???
>
> 2nd question is, no matter is self signed or a verisign cert, the
encryption
> technology (1024, etc) is still there right?? its just that with verisign,
> its a recognized 3rd party and there wont be any prompting msg??
>
>
>
>
| |
| Michael 2004-09-02, 6:45 pm |
| Hi Mike, thanks for your reply.
for my first question, ultimately for data that are submitted (posted) from
a unencrypted page to a encrypted page, the data is not encrypted?
the reason i'm asking is because i want to warn the users of the self signed
ssl. Thus on the form, i will have some notes warning use once they submit
they will get a prompt since its self-signed. But if its not encrypted, then
i've to warn them even before the form appear then. Am i right?
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23TJzxJCkEHA.548@TK2MSFTNGP11.phx.gbl...
> Hi Michael,
>
>
>
> From what I can read from your post, users will access unencrypted site
> and
> enter their details in a forum. After they are done they click submit to
> submit data. In this scenario data between client computer and your server
> will travel in clear text (unencrypted). After it gets to the server it
> can
> be posted in encrypted (SSL) form to another page if you configure it
> so...
>
>
>
> Answer to your 2nd question is yes. My recommendation though would be to
> use
> 2048 Bits key size (you can select this when you are performing
> certificate
> request).
>
>
>
> Mike
>
>
>
> "Michael" <michael@mikeymall.com> wrote in message
> news:%23SedomBkEHA.636@TK2MSFTNGP12.phx.gbl...
> encryption
>
>
| |
| Miha Pihler 2004-09-02, 6:45 pm |
| If you want to warn the users, create first page with a warning where users
don't have to enter any data. When they click e.g. OK they are transferred
to safe part (encrypted -- SSL protected site). From this point forward
everything is encrypted.
You can also give users an option to download your root certificate so that
they will trust your certificates. Also post on your website any information
(public information) of your certificate (e.g. serial number, finger print)
data, that some users might want to look at to see what certificate they are
agreeing with...
If you look for "cheap" 3rd party certificates, look at Thawte. I think you
can get SSL for about 150 USD.
Mike
"Michael" <michael@mikeymall.com> wrote in message
news:%23LaBGpCkEHA.2788@tk2msftngp13.phx.gbl...
> Hi Mike, thanks for your reply.
>
> for my first question, ultimately for data that are submitted (posted)
from
> a unencrypted page to a encrypted page, the data is not encrypted?
>
> the reason i'm asking is because i want to warn the users of the self
signed
> ssl. Thus on the form, i will have some notes warning use once they submit
> they will get a prompt since its self-signed. But if its not encrypted,
then
> i've to warn them even before the form appear then. Am i right?
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:%23TJzxJCkEHA.548@TK2MSFTNGP11.phx.gbl...
server[vbcol=seagreen]
>
>
|
|
|
|
|