If I use an SSL certificate on my website, does that mean that it is safe to store confidential information in places like a MySQL database?
Thanks,
-Nick
Thanks,
-Nick
SSL Certificates
| polly-gone wrote: |
| If I use an SSL certificate on my website, does that mean that it is safe to store confidential information in places like a MySQL database? |
Nope. An SSL certificate means that people between you and your server, such as your ISP or a malicious third party, are unable to see what you're sending and receiving.
As a rule of thumb, if you (the author, owner, creator) are able to access one of your user's confidential credentials, your users credentials can possibly be compromised, and that's bad
Basically, you shouldn't store anything in your database that people wouldn't care about sharing, beyond the realms of, say, private messages.
| Hogwarts wrote: | ||
Nope. An SSL certificate means that people between you and your server, such as your ISP or a malicious third party, are unable to see what you're sending and receiving. |
Actually, that's not what a certificate is for. HTTPS (using SSL itself) does all that and you don't need a certificate.
What the Certificate does is tell you that the server you are connected to is vouched for by a certificate authority. Whether you trust the authority or not is another matter, although these are reputable companies which provide this service. You can also have self-signed certificates which most browsers will notify you about.
This means that should someone redirect the traffic to yourbank.com to another (malicious) server instead of the real one, then they won't have a certificate or the same certificate seen before. Hopefully the user or browser will notice this.
So if I am going to store confidential information in a database, I am going to want to use an encrypted database?
And how do I go about using HTTPS?
-Nick
And how do I go about using HTTPS?
-Nick
| AftershockVibe wrote: |
| Actually, that's not what a certificate is for. HTTPS (using SSL itself) does all that and you don't need a certificate.
What the Certificate does is tell you that the server you are connected to is vouched for by a certificate authority. Whether you trust the authority or not is another matter, although these are reputable companies which provide this service. You can also have self-signed certificates which most browsers will notify you about. This means that should someone redirect the traffic to yourbank.com to another (malicious) server instead of the real one, then they won't have a certificate or the same certificate seen before. Hopefully the user or browser will notice this. |
Given we're on a free host, I just assumed he wouldn't be looking for a (costly) SSL Certificate, and thus was referencing SSL encrypted traffic based upon his focus on the security aspects.
Probably it's a shared SSL certificate, it'd be good what type of shared certificate is.
Shared SSL usually takes one of the following forms:
a) Wild card certificate pointing at the customer's document root
Secure: https://yourusername.yourhostingcompany.com
Non-secure http://www.yourdomain.com
b) Standard certificate with a user directory path, typically this points to a separate directory where you can upload the pages you want to be secured.
c) Standard certificate accessible from the hosting companies available package shopping cart. This is a mix of a) and b) but the shared certificate is only usable from within the provided shopping carts.
Shared SSL usually takes one of the following forms:
a) Wild card certificate pointing at the customer's document root
Secure: https://yourusername.yourhostingcompany.com
Non-secure http://www.yourdomain.com
b) Standard certificate with a user directory path, typically this points to a separate directory where you can upload the pages you want to be secured.
c) Standard certificate accessible from the hosting companies available package shopping cart. This is a mix of a) and b) but the shared certificate is only usable from within the provided shopping carts.
Related topics
 |