Business Sites     

Web Applications      Web Site Hosting      Search Engine     
CompanyWeb.net: Web Hosting, Internet Programming, Search Engine Optimization

 

 


   

CompanyWeb Articles

Book Reviews
Columns

Web-Source Topics...

Horse's Mouth
ProBizTips

CompanyWeb Search



Web Design Master Series Article

Web Design Master Series Article is syndicated from Web-Source.net.

Syndicated articles are written by independent authors and the contents represent the author's views. The content of the article does not necessarily represent the views of Company Web staff and management.


Master Series

Secure Servers

By William Bontrager Copyright 2004 Bontrager Connection, LLC

When you are viewing a page with an https://... URL and the lock on your browser is closed, it means you have a secure connection to a server. The server on a secure connection is often thought of as a "secure server," but that isn't necessarily true.

Let me explain.

First, let me mention that I do not consider myself to be a security expert. That would be a full time job all by itself. My main job is computer programming. However, I am aware of security issues and try to make only secure programs.

Some things are just common sense.

Secure connections are made with SSL, which is a form of encryption to provide secure transmission of data on the Internet. Data flow between your browser and the server is encrypted with a secret code.

Notice that it's the transmission of data that is secure.

If the server stores the information received via a secure transmission, the information might or might not be secure.

SSL provides secure transmission. That's all it does.

See http://www.google.com/search?q=define:SSL for more SSL definitions.

What happens with the information once it arrives at the server via a secure transmission depends on the parties responsible for the server.

Individuals and Organizations should treat sensitive information in a manner consistent with good security practices. Unfortunately, that's not always the case.

When I hear of instances where SSL is used to collect credit card information from customers, only to then have the unencrypted credit card information emailed, I shudder. Anyone who knowingly and willingly subjects sensitive customer information to insecure environments can not be trusted.

Storing Information On the Server

Information that needs to be secure should be stored on the server only until the first opportunity to retrieve and remove it. The less time data is on the server, the less opportunity for compromise.

Information should be stored in a place on the server where browsers can't go, in a private area.

That is not possible with all hosting accounts. Business hosting accounts generally have a cgi-bin, however, and that can be a good place to "hide" information.

To hide information in the cgi-bin, simply name the files that contain the information with a ".cgi" file name extension (or ".pl" if your server requires Perl scripts to have the .pl extension).

When anyone tries to access information with a browser, and the file has a .cgi (or .pl) extension, the server will try to run the file as if it was a Perl script. The browser will then get only an error message, not the data in the file.

To get at the file with FTP, telnet, or SSH (somewhat like a secure telnet), the cracker would need to know or guess the username and password to your server. Depending on your situation, in may be prudent to encrypt information that needs to be secure and remain on the server.

Retrieving Information From the Server

Unless you have physical access to the computer that serves your site to Internet browsers, there are few methods to securely retrieve data from your server:

  • If you have shell access to your hosting account, SSH is secure. Simply log in, retrieve the file or open it and copy the contents, then delete the file if appropriate.
  • Have a script send the information to you with encrypted email.
  • Use your browser to access a CGI program to retrieve and view the information on the secure server. Master Secure File Viewer from http://willmaster.com/a/24h/pl.pl?msfv is ideal for this. It can even be used to delete the files after you've retrieved the information.

Don't use unencrypted email or FTP with an insecure connection to retrieve sensitive information. And please don't store information in files where the contents can be viewed with an Internet browser.

If you're going to provide a secure connection to your server, follow through and keep the information secure. Your customers expect that you will.

It's not a lot of trouble, mostly common sense.

Will Bontrager

Copyright 2004 Bontrager Connection, LLC

About the Author:

William Bontrager Programmer/Publisher, "WillMaster Possibilities" ezine mailto:possibilities@willmaster.com

Are you looking for top quality scripts? Visit Willmaster and check out his highly acclaimed Master Series scripts. Some free, some for a fee.

Content Provided By:

 

More Master Series Articles...

 

 


Frontpage, NT are Trademarks of Microsoft Corporation. CompanyWeb Site Copyright (c) 1998 - 2003, CompanyWeb.net Site Development Service Group.