Password Protection vs. Encryption

D

Don Low

I know how to password protect a subweb but have been asked how much
protection to "prying eyes" that offers. The truth is, I really don't know.

If information on a Web needs to be protected against all but authorized
people within a group (not the same organization, but worldwide) would some
form of encryption do the trick? If encryption is the answer, should a time
limit be put on the time the information is made available? I know nothing
about hacking but assume it is similar to a bank vault; the less visible it
is the better and by removing the money the temptation is removed.

If a time limit is necessary, I believe we could send a notification to
those authorized to view the information and then remove the information
from the site. Finally, this is not a national secret, but I think something
on the order of a Brink's truck is what is called for here.
 
K

Kevin Spencer

Good question, Don. This subject area is confusing to a lot of people, and
there is a significant difference between restricting access to pages and
encrypting data passing back and forth betwen browser and server.
Restricting access prevents a user from viewing/downloading any documents
that he/she is not authorized to view. However, when an authorized user
views those documents, the contents of the documents travel across the
Internet unencrypted, which means that a hacker with a packet sniffer can
intercept and view the content being pushed back and forth across the
connection. Encryption is done using SSL (Secure Sockets Layer), which sends
a public key to the browser, and then encrypts the data being sent to and
from the browser so that only the browser can decrypt it after it reaches
the client. SSL requires a Secure Certificate from an authority such as
Verisign, and is therefore more expensive. So, I guess the real question is,
how sensitive is the data, and how much is it worth to you to hide it?

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
 
S

Steve Easton

Actually more than you think when done properly.
When done via FrontPage ( or the web master control
panel on an apache/unix server ) the actual
password is stored in a file "Above" the root
of the web, which is in-accessible by the public,
and is stored in binary format.
Although the password "pointer file" ( so to speak )
is created in and stays in the protected folder, it
simply points to the password file when the password is
stored and read.
Additionally this "pointer file" automatically invokes
the password pop-up any time anyone tries to
open any file in or otherwise try to enter the protected
folder / subweb.
In an apache/UNIX server it is named .htaccess and in
a MSFT server I believe it is #htaccess

The key <imho> is to use passwords that are hard to
recreate / reproduce. i.e. letter/number / uppercase/lowercase
combinations.
hth
 
D

Don Low

Kevin, Steve thanks to you both. I take Steve's point as true, though. It is
the passing back and forth of information that I believe people are worried
about here. (I'm just the messenger) I'm guessing that SSL will be decided
on after I present the findings but before I do, I wonder if you can give me
an approximate cost for the key and how many are needed. For instance, is
the key needed by the sender only, or by all who may or may not participate?
Also, can you name other key vendors? Thanks again for both replies.
 
T

Thomas A. Rowe

You only need to purchase a single SSL certificate for your domain. Talk
with your web regarding the ones they are willing to install and support.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================
 
K

Kevin Spencer

You don't purchase a key, you purchase a Certificate. The public and private
keys are generated by the Certificate. However, I don't know anything
offhand about what they cost - never had to purchase one! You should be able
to Google Secure Certificate vendors.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
 
S

Steve Easton

Don,
If information security between the server and client is the
key issue, then by all means Kevin's recommendation about SSL is the
way to go, and imho should be considered a *must.*
 
J

Jack Brewster

Don,

Are you hosting your own server, or do you work with a hosting service? If
you host your own, you have a couple options available.

First, as Kevin said, you can purchase a SSL cert from Verisign or Thawte
(which is really Verisign since they were gobbled up, but their prices are
cheaper?!?) and install it on your web server (the certificate vendor
provides documentation for this). This is the best option if it's important
for the certificate process to be transparent to your visitors.

If you don't mind your users getting prompted, you can actually create your
own certificate. Since it's created by you it won't have the "legitimacy"
that a Verisign or Thawte certificate would give, but it will still provide
the same encryption capability. This would normally only be used with very
targeted audiences who already have a trust relationship with you. I
wouldn't use it for order processing at all, but transferring data such as
business sensitive information should be just fine.

If you work with a hosting service, check with them. They should be able to
do all the hard work for you. Keep in mind that with 'budget' hosting
accounts, some hosts will use a shared SSL certificate. This is
....adequate... but could be compromised. Depending upon your requirements
(i.e. paranoia) getting your own certificate is your best bet.

Good luck!
 
M

Mike Mueller

You need to get a site certifiacte, and you only need 1 per domain. The
cert will generate keys as needed. Cost all depends on who you use. CaCert
will provide them for free, but they are relatively low on the chain and
many users will have to accept their certificate.

Mike
 
Top