Tips on creating a Good website
Hi guys,
This thread is delicated to shalini and all CEans ๐
In this forum we are going to discuss the various security issues (as far as I know ๐) that one should keep in mind when creating a website.
Alright lets get it started.....
Security issues can be divided into two categories: system security (for example, ensuring that other people cannot change your Web site) and information security (for example, ensuring that the customer details from an online store are safe).
System security
It is important to ensure that your system is secure, and reduce the chance that hackers can break into your Web server and alter pages.
System security is a strong responsibility, especially if you operate your own Web server.
Information security
Some Web sites may store sensitive information, such as the personal details (and perhaps even credit card numbers) of users. You should analyse the information stored and work out which information must be kept secure. As the operator of such a site, you have a responsibility to keep this information safe.
Encryption
Encryption, which makes it difficult for other people to intercept information, can be an important aid to security. However, encrypted Web connections (indicated by a padlock icon in the browser) do not ensure that information is held securely.
Complex issue
Making a site secure can be complicated. If you don't understand some of the basic concepts, you are unlikely to create a secure site simply by using 'secure' software.
More to come.......๐
-Arvind(slashfear)
This thread is delicated to shalini and all CEans ๐
In this forum we are going to discuss the various security issues (as far as I know ๐) that one should keep in mind when creating a website.
Alright lets get it started.....
Security issues can be divided into two categories: system security (for example, ensuring that other people cannot change your Web site) and information security (for example, ensuring that the customer details from an online store are safe).
System security
It is important to ensure that your system is secure, and reduce the chance that hackers can break into your Web server and alter pages.
System security is a strong responsibility, especially if you operate your own Web server.
Information security
Some Web sites may store sensitive information, such as the personal details (and perhaps even credit card numbers) of users. You should analyse the information stored and work out which information must be kept secure. As the operator of such a site, you have a responsibility to keep this information safe.
Encryption
Encryption, which makes it difficult for other people to intercept information, can be an important aid to security. However, encrypted Web connections (indicated by a padlock icon in the browser) do not ensure that information is held securely.
Complex issue
Making a site secure can be complicated. If you don't understand some of the basic concepts, you are unlikely to create a secure site simply by using 'secure' software.
More to come.......๐
-Arvind(slashfear)
Replies
-
slashfearHi Guys,
This time its about passwords, we will have a peak into what are the problems in passwords and how to use password securely......;-)
Passwords:
There are two important issues in system security. One is in the use of passwords, which should be chosen and used securely. However secure a system might be, it is normally left wide open if the password used to access it is compromised.
Problems with passwords
Most systems use passwords to restrict access. It is possible to obtain a password in several ways:
-> guessing
If you choose a particularly simple password (your mother's maiden name, your pet's name, your favourite sports team) then people may be able to guess the password
-> brute-force search
There are programs which can try many passwords, for example by going through every word in a dictionary
-> social engineering
It is often possible to trick people into revealing passwords, for example by phoning up and pretending to be the Internet service provider or a member of the company
-> obtaining stored passwords
Sometimes people store passwords on their computer, on post-it notes, in their diary, etc. In this case, the password can easily be obtained by somebody with physical access
-> obtaining shared passwords
When the same password is used for several systems, anybody who obtains the password for one system already has it for all others
-> installing trojans
There are 'trojan horse' software programs which install invisibly on your computer, monitoring keystrokes. These are often associated with computer viruses
-> interception
If passwords are sent across an unencrypted connection, it may be possible to intercept the password as it is transmitted (this is usually a relatively low risk)
Using passwords securely
You can avoid these problems by:
-> using a good password
Choose a password that is reasonably long (at least 8 characters) and is not made up of simple words. Use punctuation and numbers if possible
-> ensure systems limit password attempts
If possible, make sure that the system allows only a certain number of password attempts before locking out the account
-> not storing passwords
Do not store important passwords on your computer, or write them down
-> not sharing passwords
Use different passwords for all important systems
-> never giving out passwords
Do not give out your password to anybody
-> maintaining general levels of computer security
Use a virus checker and ensure that your email program is configured securely and kept up to date
-> using secure connections for passwords
Make sure that passwords are sent across secure connections so that they cannot be intercepted in transit
stay tunned guys.....!! more to come..........;-) -
Kaustubh Katdare@ Slashfear: Most of the systems use MD5 encryption for storing passwords into Database. It makes impossible for the system/database administrators to know the user passwords.
Good thread, waiting for more ๐ -
shalini_goel14Thanks a lot slashfear for atleast listening to me. ๐
Hey slashfear if possible try to avoid this theoretical things and elaborate more about each. Take your time.
I am waiting for extracting more and more information from you. ๐ -
Prasad AjinkyaMore on making your website secure - well, atleast the password front.
Always, always and I mean always store them in MD5 format. That way, even you do not know what are the passwords of the users (until and unless you have the patience to run them through a rainbow table!)
Second thing you can do is provide TLS support. Thats Transport Layer Security (the padlock). Its basically a security certificate for your server and its subsequent transactions. -
shalini_goel14
Hello Sir,kidakakaSecond thing you can do is provide TLS support. Thats Transport Layer Security (the padlock). Its basically a security certificate for your server and its subsequent transactions.
How can we provide TLS support? -
slashfearHey guys,
MD5 encryption.....!!! ;-) ok here is how you do it......
If you are developing a password-protected web site, you have to make a decision about how to store user password information securely.
What is "secure," anyway? ๐ Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).
MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.
MD5 does have its weaknesses. MD5 encryption is not infallible: if the password is not strong enough, a brute force attack can still reveal it. So, you can ask: "Why should I use MD5 if I know it is not the most secure?" The answer is fairly straightforward: it's fast, it's easy, and it can be powerful if salted. The greatest advantage of MD5 is its speed and ease of use.
It is vitally important to understand that password encryption will not protect your website, it can protect your passwords only. If your website does not have sufficient protection, password encryption will not make it safe from cracking. If your system has been cracked, a hacker can inflict a irreparable damage to it and also gain an access to confidential information, including passwords database. But if you store this information encrypted, hackers practically cannot make use of it. Cracking an encrypted password takes a large amount of time and processing power, even on today's computers.
So, let's start. First of all, you need to add a new account to your database. The following code allows to do it.
[B] [/B]
Now, when a new user completes the registration form, his password will be encrypted automatically.
After that we should write code that validates a given username/password pair.
[B] [/B]
And what if you already have users' database ready and want to start using encrypted passwords? To do it, you need to write encypt.php script as shown below code and run it in your browser.
[B]ord('9')) && (ord($str[$i])
Hope I made it right......!!! If I am wrong correct me bigie........๐ord('f'))) return false; return true; } ?> Encrypt passwords Total passwords in the table -
0) { ?> All passwords are encrypted. 0) { ?> Unencrypted -
Click "GO" to encrypt passwords.
WARNING! There will be no way to decipher the passwords.
[/B]
-Arvind(slashfear)๐ -
slashfearHey shalini,
I am sorry with out the explanation, people cant understand whats going on......
So Forgive me for the explanations ๐ and you will surely have samples for everything....
And do you know you can use MD5 algorithm in JAVA to.....
-Arvind(slashfear) -
shalini_goel14
Ya I guess, I know its algorithm and I can program it in Java. Never tried but would like to try once and will let you know if got it done.slashfearHey shalini,
And do you know you can use MD5 algorithm in JAVA to.....
-Arvind(slashfear) -
sarveshguptaGood thread Slashfear! Currently going through exams. I will surely try to follow it. Although I need to learn php first. The theory part is great but the code sample is going above my head.
Waiting to fininsh exams and learn php. Then i will surely be able to undrstand and post questions. Still trying to understand the concept. -
sarveshguptaCan you tell me is this MD5 algorithm available in .net also?
-
slashfearHi Sarvesh,
Thanks dude!!!๐
Yes it is avialble in .Net too ;-), to use MD5 in .Net too, for that you have to import the following:
Imports System.Security.Cryptography
And I am not that good in .Net ๐, so I thought of posting you this link which would be helpful to you and will help you get a clear picture of how to do it in .Net along with Example. Here is the Link:
#-Link-Snipped-#
#-Link-Snipped-#
Hope this was useful to you.......!!!!;-)
-Arvind(slashfear) -
sarveshguptaThank you Slashfear..
-
sarveshguptaHope to learn and see more from you..
-
Ramseem๐กHow to create a site including php or .net๐
-
Kaustubh KatdareRamseen - if you know PHP - you'll know how to setup a website. If you need basics on setting up website , look at the following -
#-Link-Snipped-#
#-Link-Snipped-#
#-Link-Snipped-# -
slashfearThanks Bigie for solving the previous query .............๐
-
slashfearHey guys,
I think it is important and useful for you guys to go through and know what "Distributed Denial of Service" (DDoS Attack) is,
I have already discussed about this attack and prevention methods in this forum, So for the guys, who missed to read it... Here is the link:
#-Link-Snipped-#
Any doubts and if you want any detailed description please feel free to ask guys!!!!;-)
-Arvind(slashfear) -
Ashraf HZSlashfear, I enjoy reading your threads! Cryptology is one of my recent interests ๐
-
slashfearThanks ash......:smile:
-
slashfearHi Guys,
This time we go with the need for SSL certificates for websites..... ๐
SSL Certificates:
The most basic component of website security is SSL, Secure Sockets Layer technology. All web pages that transmit and receive credit card and other sensitive information should use SSL for website security.
This form of website security utilizes a system of invisible รขencryptionรข that guarantees website security without any inconvenience to the communicating parties. SSL is an industry standard that provides website security to millions of websites.
Commonly, information is sent across the internet by passing it from one computer (also called รขserversรข) to another and website security is not a serious issue. However, because every bit of information on the internet travels through so many computers (servers) to reach its destination, website security IS an issue when sensitive information is passed.
รขencryptionรข is the process of converting sensitive information, referred to as รขplaintextรข which anyone can read, into coded or รขciphertextรข which requires a รขkeyรข for deciphering. SSL ensures that data passed between web servers and browsers (personal computers) have proper website security so that what are called secure รขsessionsรข can transpire between two parties.
To implement SSL website security protocol, an SSL Certificate is required. These can be obtained through various website security vendors and through website hosts and web page vendors that are Certification Authorities (CAรขs). These should be a trusted CA source to additionally assure your website security.
An SSL Certificate for website security requires a domain name, company name, address, city, state and country. When issued it will contain the expiration date and information about the Certification Authority that issued this website security instrument.
This Certificate is checked by any computer browser that begins a secure session on a website. SSL website security protocol, when checking an SSL Certificate, will note the expiration date, whether the CA is one that is trusted by the browser, and that the Certificate is in use by the correct website for which it was issued. Failing any of these checks will prompt a warning to the end user, indicating that website security is in doubt.
You can get SSL certificates from Buy SSL from a Leading Certificate Authority | Thawteยฎ or from #-Link-Snipped-# or Google it out!!!๐
PS: Mods please check the above links :smile:
-Arvind(slashfear) -
Saandeep Sreerambatla
Yes its one of my interest too..ashSlashfear, I enjoy reading your threads! Cryptology is one of my recent interests ๐
Slashfear you are great, am not following this thread but will follow soon.
Can you tell me what are the pre-requisites i need to learn before reading this such that i will be clear ? -
Kaustubh KatdareNothing's wrong with the links. We only remove advertisement links from the posts.
-
slashfearThanks for checking Bigie....
-
slashfearHey ES,
These are general Tips on security buddy, so Just go through the articles and you will get knowledge about security issues and will know what you have to learn automatically......;-)
-Arvind(slashfear) -
Saandeep SreerambatlaOk i will start some day and will post my issues here , thanks Slashfear ๐
-
slashfearYour always welcome dude!!! looking forward for your querys๐
-
Saandeep SreerambatlaWill post for sure , just recommend me any books on these topics i read a lot so it will be useful for me in 2 to 3 weeks your mail box /the thread will be flooded with my questions, i want you to recommend me some books on it if you have any links send it my mail id available in the signature .
thanks -
slashfearYes sure I will do that dude, just give me two day's ๐
-
silverscorpionHi SLashFear,
Once again, nicely written Thanks for that!!.
Some doubts about this..
When you say we can get SSL certificates from the above links, what do you mean?? Should we submit our site to them? Will they examine it and then issue a certificate that it's safe?
How much does it cost to obtain such a certificate??
I often hear about another security concept, the TLS (Transport Layer Security). What's the difference between SSL and TLS? -
Harshad ItaliyaSuperb thread man
-
slashfearThanks Godfather!!!!๐
-
slashfearHi Scorpion,
hey buddy, I think you will get the answers from the below link.......
#-Link-Snipped-#
And regarding the cost also you can find in that website it self buddy!!
and the difference between SSL and TLS is as follows:
SSL stands for Secure Sockets Layer (AS we have discussed above). Netscape originally developed this protocol to transmit information privately, ensure message integrity, and guarantee the server identity. SSL works mainly through using public/private key encryption on data. It is commonly used on web browsers, but SSL may also be used with email servers or any kind of client-server transaction. For example, some instant messaging servers use SSL to protect conversations.
TLS stands for Transport Layer Security. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It is most often used as a setting in email programs, but, like SSL, TLS can have a role in any client-server transaction.
The differences between the two protocols are very minor and very technical, but they are different standards. TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0.
In the Next post I will tell you guys about the TLS......;-)
-Arvind(slashfear) -
slashfearHi Guys,
All the websites will surely have a Database as a back end (most websites!!!:smile๐, no matter what database your using, certain query's can change the entire situation of your website, yes I am talking about SQL injection.
So It's better to know how the Attack works and how to prevent yourself, I have dedicated a separate thread for SQL injections you can have a look on that by clicking the below link (For those who are not following that thread ๐):
#-Link-Snipped-#
And get some knowledge on the Worlds Best Hackers, Crackers, intruders and virus creators to make it simple MASTER MINDS , from the following thread:
#-Link-Snipped-#
Hope you guys enjoy this...........๐
-Arvind(slashfear) -
Saandeep SreerambatlaslashfearYes sure I will do that dude, just give me two day's ๐
Aravind i am waiting for your answer ๐
You are reading an archived discussion.
Related Posts
We've run down the top 10 Windows 7 features and the best new features in the RC, but after using Windows 7 exclusively for a week straight, the real goods...
We've been hearing reports all morning of outages across the Googleverse, and while no one at Lifehacker HQ has been affected, that doesn't mean no one else has. Google's App...
hi
i'm a B. Tech. computer science student from Sir Padampat Singhania University, Udaipur.
I've just completed 2nd year..and i've got 2 nd half months' break. during these vacations i've...
Here's wishing CEan Just2Rock
๐Very HaPPy Birthday๐
๐
May your dreams come true
Party on, dude!
๐:myparty:๐
โ
i am a high school student taking electrical at a vocational need some ideas ๐ for a final project for my senior year: Some ideas i was floating around dealt...