Re: SSL certificate problem with 3rd party
I was helping Jason with this a bit before he posted here, but didnt have time to do full tests. I have run into this situation before and that time it automagically started working the next day with an unaltered keystore. Arg! So this issue: I have a Win 7 VM with CF8.0.1 fully patched and CF10 fully patched. Both jvm.config files are edited to use the exact same JVM at c:\program files\jdk1.6.0_45\jre and the exact same keystore cacerts file. This cacerts is the one that came with jdk 1.6.0_45. BEFORE importing the Comodo cert CF8.0.1 CFHTTP fails with with error I/O Exception: Name in certificate `internetsecure.com' does not match host name `test.internetsecure.com. CF10 is successful. Next I imported the cert COMODOHigh-AssuranceSecureServerCA.crt from Comodo and restarted CF8.0.1. After the restart I still get the same error message on CF8.0.1 and after restarting CF10 it still works. Ive pulled my hair out before on this without luck other than in one case an SSL cert automagically started working. I have in the past looked for any documentation that Adobe updated CFHTTP between CF8 and CF10 I have not found anything yet. However, something must have changed to allow certs with Subject Alternate Names. Regards, Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 16, 2014, at 4:38 PM, Byron Mann byronos...@gmail.com wrote: Apologies, Justin is correct. I tested this on one of our CF 8 servers and the host file/IP manipulation worked as stated. I'm so used to dealing with the * certificate issue, I wasn't aware this wasn't the case for the new certificates with the multiple names. FYI, I tried things out on CF 10, and it appears to accept these types of certificates without issue. Byron Mann Lead Engineer Architect HostMySite.com On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott leviat...@darktech.orgwrote: You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. In this case it's not a wildcard certificate, it's a standard cert using the subject alternative names extension which isn't supported on Java 6. Importing the certificate into the Java keystore won't help in this case because the primary name on the certificate doesn't match the hostname being called. Java will only check against the primary hostname and not the alternative names listed in the certificate. Calling the primary hostname on the certificate and using a hosts entry to override the DNS entry to direct it to the right IP is the only workaround in this instance. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
If I remember correctly, the JVM keeps it's own cache of certificates. I'd search for the commands to remove a cert from the built-in java keystore. It's pretty simple using the keytool app but you might need to restart CF to make it take. -Jake On Thu, Jan 16, 2014 at 2:05 PM, Jason Durham jqdur...@gmail.com wrote: A payment processor changed one of their certificates which is causing CF to throw an exception when we try to connect via CFHTTP using SSL. The error message is: *I/O Exception: Name in certificate `internetsecure.com http://internetsecure.com' does not match host name `test.internetsecure.com http://test.internetsecure.com'* You can view the certificate by navigating to https://test.internetsecure.com. My browser doesn't seem to have problems with this cert, and I see a SAN that indicates this certificate should be valid for test.internetsecure.com. I've tried importing this cert into the keystore but received the same error. Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? Jason Durham ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
Is it a 2048 bit cert? I seem to remember CF8 needing a patch to handle those. Jon On Jan 16, 2014, at 3:05 PM, Jason Durham jqdur...@gmail.com wrote: A payment processor changed one of their certificates which is causing CF to throw an exception when we try to connect via CFHTTP using SSL. The error message is: *I/O Exception: Name in certificate `internetsecure.com http://internetsecure.com' does not match host name `test.internetsecure.com http://test.internetsecure.com'* You can view the certificate by navigating to https://test.internetsecure.com. My browser doesn't seem to have problems with this cert, and I see a SAN that indicates this certificate should be valid for test.internetsecure.com. I've tried importing this cert into the keystore but received the same error. Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? Jason Durham ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
I dealt with this same problem. In my case, solution was to edit hosts file on server(s) so that internetsecure.com and test.internetsecure.com both have the same IP and then, in your cfhttp, use the name that matches the cert. On Thu, Jan 16, 2014 at 3:05 PM, Jason Durham jqdur...@gmail.com wrote: A payment processor changed one of their certificates which is causing CF to throw an exception when we try to connect via CFHTTP using SSL. The error message is: *I/O Exception: Name in certificate `internetsecure.com http://internetsecure.com' does not match host name `test.internetsecure.com http://test.internetsecure.com'* You can view the certificate by navigating to https://test.internetsecure.com. My browser doesn't seem to have problems with this cert, and I see a SAN that indicates this certificate should be valid for test.internetsecure.com. I've tried importing this cert into the keystore but received the same error. Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? Jason Durham ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357457 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? It sounds like they're using a certificate with multiple embedded hostnames (known as alternative names) which is not supported by Java 6. Importing the cert into the java cert cache won't help. You will need to have your CFHTTP call use the hostname that is specified as their primary hostname in the certificate (internetsecure.com in this case). To get it to talk to their test server, you'll need to add an entry in the server's hosts file to override the DNS entry for internetsecure.com to use the IP address for test.internetsecure.com which is 216.98.33.4, so in your hosts: 216.98.33.4 internetsecure.com This will allow your code to talk to the appropriate server (test server) using the hostname of the primary hostname in the certificate. Once you're in production it shouldn't be an issue unless their production URL uses a different hostname than internetsecure.com. We have to do this in production to get CF to talk to the E4 Global Gateway from First Data as their certificate uses alternative names and creates the same problem. The other gotcha is that if you do have to override their DNS entry in the hosts file you'll also need to monitor their DNS entry for changes so you can update your hosts file accordingly if they move something. Loads of fun. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. test.internetsecure.com != *.internetsecure.com as CF 8 sees it. https://www.google.com/#q=coldfusion+import+ssl+certificate is a start as to importing the certificate to the CF java instance. To grab the certificate, use a web browser to go to the URL ( https://test.internetsecure.com). Click on the SSL lock icon on the browser. Then there is usually an option to export/save the certificate. Save that to a file. Then use the keytool command line tool to import the certificate file to your ColdFusion java instance. The command would be something like this. keytool -import -v -trustcacerts -alias *.internetsecure.com -cert -file c:\someServerCertFile.cer -keystore c:\ColdFusion8\runtime\jre\lib\security\cacerts -storepass changeit You will need to restart CF after that. Byron Mann Lead Engineer Architect HostMySite.com On Thu, Jan 16, 2014 at 3:05 PM, Jason Durham jqdur...@gmail.com wrote: A payment processor changed one of their certificates which is causing CF to throw an exception when we try to connect via CFHTTP using SSL. The error message is: *I/O Exception: Name in certificate `internetsecure.com http://internetsecure.com' does not match host name `test.internetsecure.com http://test.internetsecure.com'* You can view the certificate by navigating to https://test.internetsecure.com. My browser doesn't seem to have problems with this cert, and I see a SAN that indicates this certificate should be valid for test.internetsecure.com. I've tried importing this cert into the keystore but received the same error. Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? Jason Durham ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357464 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. In this case it's not a wildcard certificate, it's a standard cert using the subject alternative names extension which isn't supported on Java 6. Importing the certificate into the Java keystore won't help in this case because the primary name on the certificate doesn't match the hostname being called. Java will only check against the primary hostname and not the alternative names listed in the certificate. Calling the primary hostname on the certificate and using a hosts entry to override the DNS entry to direct it to the right IP is the only workaround in this instance. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
Apologies, Justin is correct. I tested this on one of our CF 8 servers and the host file/IP manipulation worked as stated. I'm so used to dealing with the * certificate issue, I wasn't aware this wasn't the case for the new certificates with the multiple names. FYI, I tried things out on CF 10, and it appears to accept these types of certificates without issue. Byron Mann Lead Engineer Architect HostMySite.com On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott leviat...@darktech.orgwrote: You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. In this case it's not a wildcard certificate, it's a standard cert using the subject alternative names extension which isn't supported on Java 6. Importing the certificate into the Java keystore won't help in this case because the primary name on the certificate doesn't match the hostname being called. Java will only check against the primary hostname and not the alternative names listed in the certificate. Calling the primary hostname on the certificate and using a hosts entry to override the DNS entry to direct it to the right IP is the only workaround in this instance. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
FYI, I tried things out on CF 10, and it appears to accept these types of certificates without issue. What's the JVM version you're using on that installation? -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
Simply stating it works on ColdFusion 10 is meaningless. ColdFusion 10 installs with Java 1.6 by default. So unless youve patched CF10 and explicitly installed Java 1.7 and edited your jvm.config to use Java 1.7 you are still on Java 1.6. Wil Genovese Owner / Sr Web Application Developer / Systems Administrator Trunkful Technologies, inc. 729 Dodd Road Saint Paul, MN 55107 | m: 651-894-4238 | skype: wilgeno wilg...@trunkful.com | http://www.trunkful.com On Jan 16, 2014, at 4:38 PM, Byron Mann byronos...@gmail.com wrote: Apologies, Justin is correct. I tested this on one of our CF 8 servers and the host file/IP manipulation worked as stated. I'm so used to dealing with the * certificate issue, I wasn't aware this wasn't the case for the new certificates with the multiple names. FYI, I tried things out on CF 10, and it appears to accept these types of certificates without issue. Byron Mann Lead Engineer Architect HostMySite.com On Thu, Jan 16, 2014 at 4:18 PM, Justin Scott leviat...@darktech.orgwrote: You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. In this case it's not a wildcard certificate, it's a standard cert using the subject alternative names extension which isn't supported on Java 6. Importing the certificate into the Java keystore won't help in this case because the primary name on the certificate doesn't match the hostname being called. Java will only check against the primary hostname and not the alternative names listed in the certificate. Calling the primary hostname on the certificate and using a hosts entry to override the DNS entry to direct it to the right IP is the only workaround in this instance. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL on CFquery
Thanks Russ, ill take a look into this You don't, afaik ypu simply need the client cert in the java keystore. See this http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html There is a handu cfadmin extension on riaforge.org for managing your keystore. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 16, 2013 5:33 PM, Richard White rich...@re-base.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355509 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL on CFquery
Do the following to enable SSL connection: 1. In the ColdFusion Administrator, go to Data Services Data Sources. 2. Select the data source to enable SSL Connection. 3. In the data source page, click Show Advanced Settings. 4. In the Connection String text box, specify the connection properties as per the SSL requirements. you can find detail son the connection properties here http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-8000.html On Tue, Apr 16, 2013 at 12:58 PM, Richard White rich...@re-base.net wrote: Hi, We have a windows server for our CF application and a Linux server for our database. We are setting up a self-signed SSL between the two servers. Our hosting company have said we need to reference the SSL in the connection string but how can I do this in a cfquery? Many thanks Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355425 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL on CFquery
Perfect! Many thanks Russ :) Do the following to enable SSL connection: 1. In the ColdFusion Administrator, go to Data Services Data Sources. 2. Select the data source to enable SSL Connection. 3. In the data source page, click Show Advanced Settings. 4. In the Connection String text box, specify the connection properties as per the SSL requirements. you can find detail son the connection properties here http://help.adobe.com/en_US/ColdFusion/9. 0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-8000.html On Tue, Apr 16, 2013 at 12:58 PM, Richard White rich...@re-base.net wrote: Hi, We have a windows server for our CF application and a Linux server for our database. We are setting up a self-signed SSL between the two servers. Our hosting company have said we need to reference the SSL in the connection string but how can I do this in a cfquery? Many thanks Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355426 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL on CFquery
Hi, We have a further issue with this. The hosting company have installed the SSL certificate on the database and provided us with the details of where the certificate is stored. However, in the CF connection string it asks to provide the url of the certificate. I am confused about how to get this to work. How would i instruct coldfusion to use the certificate on the database server? Thanks, Richard Hi, We have a windows server for our CF application and a Linux server for our database. We are setting up a self-signed SSL between the two servers. Our hosting company have said we need to reference the SSL in the connection string but how can I do this in a cfquery? Many thanks Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355442 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL on CFquery
You don't, afaik ypu simply need the client cert in the java keystore. See this http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html There is a handu cfadmin extension on riaforge.org for managing your keystore. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 16, 2013 5:33 PM, Richard White rich...@re-base.net wrote: Hi, We have a further issue with this. The hosting company have installed the SSL certificate on the database and provided us with the details of where the certificate is stored. However, in the CF connection string it asks to provide the url of the certificate. I am confused about how to get this to work. How would i instruct coldfusion to use the certificate on the database server? Thanks, Richard Hi, We have a windows server for our CF application and a Linux server for our database. We are setting up a self-signed SSL between the two servers. Our hosting company have said we need to reference the SSL in the connection string but how can I do this in a cfquery? Many thanks Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355450 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connections To Oracle
Thanks Russ. In looking at that document, for Oracle, it refers to two properties: KeyStore=path to keystore; and TrustStore=path to keystore;. On Linux, would these to paths point to the cacerts file in %CF_Install_Path%/runtime/jre/lib/security? Dont know if this applies to cf8 but http://help.adobe.com/en_US/ColdFusion/9. 0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7fff.html Regards Russ Michaels On Jul 23, 2012 3:20 PM, Robert Nurse rnu...@gmail.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351952 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connections To Oracle
Dont know if this applies to cf8 but http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7fff.html Regards Russ Michaels On Jul 23, 2012 3:20 PM, Robert Nurse rnu...@gmail.com wrote: Hello All, Has anyone ever configured CF8 (Linux) datasources that used SSL connections to Oracle? That mandate is coming to our shop. Can anyone point me to or provide documentation on this? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351945 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connection to Postgresql
I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set to accept SSL connections only. I have the 3 root/cert files necessary for the handshaking to occur between host and client. The datasource to the box works fine when unencrypted: jdbc:postgresql://x.x.x.x/main (with ?ssl=true to be appended for encryption). My question is where do I put these files? I am running CF8 Enterprise on Windows 2003. On my local machine I would have them in the %appdata%/postgresql folder but this is a production-level box that access the internet. You'll have to add the server cert to the client's Java keystore as described here: http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342728 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connection to Postgresql
I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set to accept SSL connections only. I have the 3 root/cert files necessary for the handshaking to occur between host and client. The datasource to the box works fine when unencrypted: jdbc:postgresql://x.x.x.x/main (with ?ssl=true to be appended for encryption). My question is where do I put these files? I am running CF8 Enterprise on Windows 2003. On my local machine I would have them in the %appdata%/postgresql folder but this is a production-level box that access the internet. You'll have to add the server cert to the client's Java keystore as described here: http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php Thank you for the direction! My only question with this is that the host box is creating this keystore, so how will it be moved to the remote client box? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342729 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connection to Postgresql
I have a remote Redhat 5.0 box running PostgreSQL 8.0 and it's set to accept SSL connections only. I have the 3 root/cert files necessary for the handshaking to occur between host and client. The datasource to the box works fine when unencrypted: jdbc:postgresql://x.x.x.x/main (with ?ssl=true to be appended for encryption). My question is where do I put these files? I am running CF8 Enterprise on Windows 2003. On my local machine I would have them in the %appdata%/postgresql folder but this is a production-level box that access the internet. You'll have to add the server cert to the client's Java keystore as described here: http://archives.postgresql.org/pgsql-jdbc/2003-08/msg00110.php Thank you for the direction! My only question with this is that the host box is creating this keystore, so how will it be moved or copied to the remote client box? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342730 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connection to Postgresql
Thank you for the direction! My only question with this is that the host box is creating this keystore, so how will it be moved to the remote client box? The server and client will have separate keystores. You simply need to use keytool to import the server's certificates into the client's keystore. In this case, the client is your CF server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342732 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL Connection to Postgresql
Thank you for the direction! My only question with this is that the host box is creating this keystore, so how will it be moved to the remote client box? The server and client will have separate keystores. You simply need to use keytool to import the server's certificates into the client's keystore. In this case, the client is your CF server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite Very much appreciated! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342739 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ssl
If you are using IIS, this page got me going. http://eduncan911.com/blog/getting-godaddy-ssls-working-in-firefox-on-iis.aspx http://eduncan911.com/blog/getting-godaddy-ssls-working-in-firefox-on-iis.aspx ~Mahcsig On Fri, Oct 2, 2009 at 2:39 PM, denstar valliants...@gmail.com wrote: Maybe you need to install the intermediate certificate? Usually the cert provider gives it to you with the cert. In apache httpd.conf it goes in like this: SSLCertificateFile /path/to/your.crt SSLCertificateKeyFile /path/to/your.key SSLCertificateChainFile /path/to/your/chainFile.crt -- It probably helps that my background is in the sciences and I can speak the scientists' language. David Chalmers On Fri, Oct 2, 2009 at 1:46 PM, Chad Gray wrote: Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class 2 certificate for some reason. I guess firefox does not have the CA chain in it. Thanks for the help! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326899 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326849 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326850 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: ssl
How about a client side redirect? cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#/c foutput';/script cfabort cfelse scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#/cfoutput';/script cfabort /cfif /cfif Maybe Firefox is trying to protect a user from hitting an SSL page that has been hijacked somehow Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:06 PM To: cf-talk Subject: RE: ssl I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326851 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
If you just want to kick them out of https you can do that with Java script
on the appropriate pages.
script language=JavaScript
var loc = document.location.toString();
var index = loc.indexOf(:);
var url = loc.substring(index,loc.length);
if (index == 5)
{
standardUrl = http + url;
location.replace(standardUrl); // get rid of current page
in history
location.href = standardUrl;
}
/script
Robert B. Harrison
Director of Interactive Services
Austin Williams
125 Kennedy Drive, Suite 100
Hauppauge NY 11788
P : 631.231.6600 Ext. 119
F : 631.434.7022
http://www.austin-williams.com
Great advertising can't be either/or. It must be .
Plug in to our blog: AW Unplugged
http://www.austin-williams.com/unplugged
-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com]
Sent: Friday, October 02, 2009 3:06 PM
To: cf-talk
Subject: RE: ssl
I remove the code and hit the web site with ssl and it works fine. I know
the certificate is good.
https://www.beeculture.com/
This one has me stumped.
-Original Message-
From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com]
Sent: Friday, October 02, 2009 2:58 PM
To: cf-talk
Subject: RE: ssl
My guess is you don't have a valid security certificate on the server. If
you have any cert installed, Firefox is first going to get that cert info
from the web server before your request ever gets to ColdFusion. What you
probably need to do is turn off the SSL on that site if you don't want
people going to it.
If you want to accomplish the redirect below without a warning, you'll
have
to install a valid certificate.
Dave
-Original Message-
From: Chad Gray [mailto:cg...@careyweb.com]
Sent: Friday, October 02, 2009 1:43 PM
To: cf-talk
Subject: ssl
I have some code in application.cfm that is supposed to re-direct the user
to a non-ssl version of the page.
!--- redirect to non-SSL ---
cfif CGI.HTTPS eq on
cfif Len(CGI.QUERY_STRING)
cflocation
url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#;
addtoken=no
cfelse
cflocation
url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no
/cfif
/cfif
I get this error in Firefox when I try to use it:
Secure Connection Failed
invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
* This could be a problem with the server's configuration, or it could
be
someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the
error may be temporary, and you can try again later.
Any ideas why this would happen?
Thanks!
Chad
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326852
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ssl
I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Typically, this would indicate a self-signed or otherwise untrustworthy certificate, but that's clearly not the problem as you've made clear in your followup email. When you get this error, have you accepted the certificate so that you can examine its properties? Do you only get the error in Firefox? If you comment out the block in question in Application.cfm, do you not get the error? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figl ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326853 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
I tried this code and it takes me to http://www.www.beeculture.com/ www. Should not be part of CGI.ServerName right? -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 3:16 PM To: cf-talk Subject: RE: ssl How about a client side redirect? cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING# /c foutput';/script cfabort cfelse scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#/cfoutput';/scrip t cfabort /cfif /cfif Maybe Firefox is trying to protect a user from hitting an SSL page that has been hijacked somehow Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:06 PM To: cf-talk Subject: RE: ssl I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326855 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: ssl
OH.. hang on it only errors in firefox. I tried IE and the certificate and my original code work fine (after I remove the www.) CGI.ServerName does include www. (DUH!). Now I just have to figure out why the SSL cert does not work in FireFox. -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 3:30 PM To: cf-talk Subject: RE: ssl I tried this code and it takes me to http://www.www.beeculture.com/ www. Should not be part of CGI.ServerName right? -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 3:16 PM To: cf-talk Subject: RE: ssl How about a client side redirect? cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING# /c foutput';/script cfabort cfelse scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#/cfoutput';/scrip t cfabort /cfif /cfif Maybe Firefox is trying to protect a user from hitting an SSL page that has been hijacked somehow Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:06 PM To: cf-talk Subject: RE: ssl I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326856 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
I think that simply translates what the user typed. If they typed in the www, then it will be part of it. If not, it won't. The CGI doesn't look into your web server to see what your actual domain name is. Do this: cfdump var=#cgi# This will give you all the CGI variables and you can figure out what your results actually are with different attempts. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:30 PM To: cf-talk Subject: RE: ssl I tried this code and it takes me to http://www.www.beeculture.com/ www. Should not be part of CGI.ServerName right? -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 3:16 PM To: cf-talk Subject: RE: ssl How about a client side redirect? cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING# /c foutput';/script cfabort cfelse scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#/cfoutput';/scrip t cfabort /cfif /cfif Maybe Firefox is trying to protect a user from hitting an SSL page that has been hijacked somehow Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:06 PM To: cf-talk Subject: RE: ssl I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326858 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: ssl
But you said the cert works fine in firefox when you go the https://www.beeculture.com, right? That's why I think Firefox is trying to recognize the server side redirect and thinks it might be a hacking attempt. Microsoft probably would never be so thoughtful to put that into IE. ;-) On the other hand, if that is the case, then it's a headache for you and you may have to put some firefox specific code into place (i.e. the client-side redirect, only if it's firefox). Dump the CGI scope, I think you'll find everything you need there to accomplish what you need... Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:35 PM To: cf-talk Subject: RE: ssl OH.. hang on it only errors in firefox. I tried IE and the certificate and my original code work fine (after I remove the www.) CGI.ServerName does include www. (DUH!). Now I just have to figure out why the SSL cert does not work in FireFox. -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 3:30 PM To: cf-talk Subject: RE: ssl I tried this code and it takes me to http://www.www.beeculture.com/ www. Should not be part of CGI.ServerName right? -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 3:16 PM To: cf-talk Subject: RE: ssl How about a client side redirect? cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING# /c foutput';/script cfabort cfelse scriptwindow.location = 'cfoutputhttp://www.#CGI.SERVER_NAME##CGI.PATH_INFO#/cfoutput';/scrip t cfabort /cfif /cfif Maybe Firefox is trying to protect a user from hitting an SSL page that has been hijacked somehow Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 2:06 PM To: cf-talk Subject: RE: ssl I remove the code and hit the web site with ssl and it works fine. I know the certificate is good. https://www.beeculture.com/ This one has me stumped. -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 2:58 PM To: cf-talk Subject: RE: ssl My guess is you don't have a valid security certificate on the server. If you have any cert installed, Firefox is first going to get that cert info from the web server before your request ever gets to ColdFusion. What you probably need to do is turn off the SSL on that site if you don't want people going to it. If you want to accomplish the redirect below without a warning, you'll have to install a valid certificate. Dave -Original Message- From: Chad Gray [mailto:cg...@careyweb.com] Sent: Friday, October 02, 2009 1:43 PM To: cf-talk Subject: ssl I have some code in application.cfm that is supposed to re-direct the user to a non-ssl version of the page. !--- redirect to non-SSL --- cfif CGI.HTTPS eq on cfif Len(CGI.QUERY_STRING) cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#?#CGI.QUERY_STRING#; addtoken=no cfelse cflocation url=http://www.#CGI.SERVER_NAME##CGI.PATH_INFO#; addtoken=no /cfif /cfif I get this error in Firefox when I try to use it: Secure Connection Failed invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Any ideas why this would happen? Thanks! Chad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326859 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: ssl
Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class 2 certificate for some reason. I guess firefox does not have the CA chain in it. Thanks for the help! -Original Message- From: Dave Phillips [mailto:experiencedcfdevelo...@gmail.com] Sent: Friday, October 02, 2009 3:44 PM To: cf-talk Subject: RE: ssl I think that simply translates what the user typed. If they typed in the www, then it will be part of it. If not, it won't. The CGI doesn't look into your web server to see what your actual domain name is. Do this: cfdump var=#cgi# This will give you all the CGI variables and you can figure out what your results actually are with different attempts. Dave ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326860 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ssl
Maybe you need to install the intermediate certificate? Usually the cert provider gives it to you with the cert. In apache httpd.conf it goes in like this: SSLCertificateFile /path/to/your.crt SSLCertificateKeyFile /path/to/your.key SSLCertificateChainFile /path/to/your/chainFile.crt -- It probably helps that my background is in the sciences and I can speak the scientists' language. David Chalmers On Fri, Oct 2, 2009 at 1:46 PM, Chad Gray wrote: Thanks Dave, it ends up FireFox is not compatible with this GoDaddy class 2 certificate for some reason. I guess firefox does not have the CA chain in it. Thanks for the help! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326867 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and https in ColdFusion
On Tuesday 08 Sep 2009, Scott Stroz wrote: The bindings will call the onRequest in App.cfc as that is juts a regular ole HTTP request. Are you saying even on HTTPS pages, CFAJAX calls go over HTTP, not HTTPS ? -- Helping to preemptively generate synergistic infrastructures as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326083 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and https in ColdFusion
On Mon, Sep 7, 2009 at 4:52 PM, Richard McKennarichardofmcke...@googlemail.com wrote: Also I take it any cfincludes will automatically be called over https as these are done before the file is sent to the browser? You've gotten replies for the other issues, so Ill just handle the cfinclude issue. You pretty much answer it yourself, but to specify -- cfincludes aren't handled either through http or https, because they're server-side calls and aren't called by the browser (and, thus, don't use any web protocol). Scott ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326084 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and https in ColdFusion
Sorry for the confusion...what I meant was that since AJAX requests are just HTTP requests, they too should follow the same guidelines. I believe if you are using SSL on the page, any AJAX calls form the CF stuff should also use SSL. On Tue, Sep 8, 2009 at 9:29 AM, Tom Chivertontom.chiver...@halliwells.com wrote: On Tuesday 08 Sep 2009, Scott Stroz wrote: The bindings will call the onRequest in App.cfc as that is juts a regular ole HTTP request. Are you saying even on HTTPS pages, CFAJAX calls go over HTTP, not HTTPS ? -- Helping to preemptively generate synergistic infrastructures as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and https in ColdFusion
For images/css/js files, if you use a relative path, the browser will automatically use the protocol for the current page, so if your page is HTTPS and you use a relative path for an image, the image will be loaded using HTTPS. The bindings will call the onRequest in App.cfc as that is juts a regular ole HTTP request. On Mon, Sep 7, 2009 at 6:52 PM, Richard McKennarichardofmcke...@googlemail.com wrote: Hi all, I'm using SSL in a site for the first time and wasn't sure how to reference external files within my pages (images, css, javascript etc.) I'm forcing the pages to use SSL with the following code, which will be placed in my Application.cfc in the onRequest method. cfif CGI.HTTPS EQ 'off' cflocation url=https://#CGI.HTTP_HOST##CGI.PATH_INFO#?#QUERY_STRING#; /cfif Do i need to give the full path (https://www.domain.com/images/image.jpg) for every reference to other files? Also I take it any cfincludes will automatically be called over https as these are done before the file is sent to the browser? Last of all how would ajax calls with cfdiv work? cfdiv bind=url:user_details.cfm?id=#userID# / Will these call the onRequest from the Application.cfc? Kind regards, Richard ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326079 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL (HTTPS) Web Service
I'm having the same issue here. Did these posts solve anything for ya Ian? On Thu, Mar 20, 2008 at 9:45 AM, Ian Skinner [EMAIL PROTECTED] wrote: Is there some trick to consuming a web service over HTTPS(SSL) in ColdFusion. I keep getting a Cannot generate stub objects for web service invocation. error when I try to do so. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306147 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL (HTTPS) Web Service
Casey Dougall wrote: I'm having the same issue here. Did these posts solve anything for ya Ian? Solve, no. The requirement went away. So I just filed these links away for future reference for the next time I have to deal with this issue. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:306149 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL (HTTPS) Web Service
If the server certificate is self-signed, you might need to import the root Certificate Authority into your CF server keystore. On Thu, Mar 20, 2008 at 10:45 PM, Ian Skinner [EMAIL PROTECTED] wrote: Is there some trick to consuming a web service over HTTPS(SSL) in ColdFusion. I keep getting a Cannot generate stub objects for web service invocation. error when I try to do so. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301640 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL (HTTPS) Web Service
James Holmes wrote: If the server certificate is self-signed, you might need to import the root Certificate Authority into your CF server keystore. I was afraid somebody was going to say something like that. Much of that is Greek to me. Any good step-by-step, fool-proof how to on just how one would do this just to play with a web service in development? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301643 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL (HTTPS) Web Service
http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool http://www.coldfusionmuse.com/index.cfm/2005/01/29/keystore http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19139 On Thu, Mar 20, 2008 at 11:36 PM, Ian Skinner [EMAIL PROTECTED] wrote: James Holmes wrote: If the server certificate is self-signed, you might need to import the root Certificate Authority into your CF server keystore. I was afraid somebody was going to say something like that. Much of that is Greek to me. Any good step-by-step, fool-proof how to on just how one would do this just to play with a web service in development? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301646 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
I'm not sure how Zillow.com's terms supports your My strong password or else argument (which is what I thought this was) as all you did was show me their terms of use. Now try to find one one here - http://www.sharebuilder.com/sharebuilder/Security/Default.aspx I can choose any password I want there. I'm sure that Sharebuilder probably has real time monitoring going on and Zillow doesn't. Is that what the difference between the terms are? Real time we got your back security versus some real estate website listing properties? *shrugs* No idea. On Jan 25, 2008 12:02 PM, Rick Faircloth [EMAIL PROTECTED] wrote: Here's some of the Terms for use of Zillow.com... a Real Estate listing website. 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS OF USE OR YOUR USE OF THE SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE EXCLUSION OF DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND SURVIVES IN THE EVENT SUCH REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED UNENFORCEABLE. THESE LIMITATIONS AND EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE EXTENT SUCH EXCLUSION AND LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH ANY PART OF THESE TERMS OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS SUPPLIERS WITH RESPECT TO THESE TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SERVICES. Now that pretty iron-clad legally, I think, that no matter what you do, password or other-wise, they're not going to pay for it. Quite bottom-line, my way or the highway, especially that last clause... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297447 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Anyway, the problem with strong passwords is they're not easily, if at all, memorable. That doesn't have to be true: http://en.wikipedia.org/wiki/Passphrase Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297445 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
I agree to a point, Claude... you're right that anything can be overturned, but having a prior agreement is always good to have on your side in court. There would have to be gross negligence on a company's part to have the prior legal agreement ignored. I think everyone in our discussion is right, to a point. And, btw, I have no connection to Zillow.com. I just happened to be on that site when the question about liability came up. I will say that if I ever do get sued because passwords and usernames were stolen from my company and I lost a case because someone's bank account was drained because it used the same password and username, I would absolutely start forcing my passwords on everyone. To this point, I've had no problem. And we all try to balance user-friendliness and security. But someone is always being bitten. Everyone is just playing a game of Russian Roulette and hoping we're not the one facing a round in the chamber. Rick -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 1:36 PM To: CF-Talk Subject: Re: SSL Necessary? Important? IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES I'm sorry, but just from the very begining, this statement has absolutely no value. I hope you didn't pay a lawyer to write it. Nobody can state, in advance on not that he is not liable or responsible. ONLY a judge in court can make this decision, only based on facts. If you have been careless in an issue, EVEN if you warned the plaintiff that you are not liable, the judge can decide that you are responsible. The only utility of such notice is may be 1. to make unaware customers believe they can't go to court, 2. to make them do their part about security. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297475 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
My only point about Zillow.com's terms holds them unaccountable for any problems you experiences from using their site. They state: (A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION Sounds to me like, whether it's because of a weak password or whatever, they can't be held liable. And in the final clause, they simply state that if you don't like those terms, don't use the service. Those terms sound fine to me. Even if I have no security for people's password, personal info, etc., sounds to me like the terms above protects me under any circumstance, including (C), negligence. Now concerning Sharebuilder.com's position: First, your link was a PR departments friendly-face, warm-and-fuzzy explanation of how they'll take care of you and provide you with security. However, the legal departments position, and the only one that counts is: http://www.sharebuilder.com/sharebuilder/Legal/Default.aspx, particularly in our discussion, point 27: 27) Security and Confidentiality You agree that you will be fully responsible for the confidentiality of your user name and password. You further agree that you will be fully and solely responsible for all activities, including brokerage transactions, that arise from the use of your user name and password. You will immediately notify us in writing or by e-mail of any loss, theft or unauthorized use of your user name, password and/or account number(s). So, their bottom line is that you're responsible for all activities, brokerage or otherwise, that arise from the use of your user name and password. So, again, they positioned themselves so that only the client is at risk if somebody finds out about their user name and password and abuses it. At least that's my take... Rick -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 12:52 PM To: CF-Talk Subject: Re: SSL Necessary? Important? I'm not sure how Zillow.com's terms supports your My strong password or else argument (which is what I thought this was) as all you did was show me their terms of use. Now try to find one one here - http://www.sharebuilder.com/sharebuilder/Security/Default.aspx I can choose any password I want there. I'm sure that Sharebuilder probably has real time monitoring going on and Zillow doesn't. Is that what the difference between the terms are? Real time we got your back security versus some real estate website listing properties? *shrugs* No idea. On Jan 25, 2008 12:02 PM, Rick Faircloth [EMAIL PROTECTED] wrote: Here's some of the Terms for use of Zillow.com... a Real Estate listing website. 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS OF USE OR YOUR USE OF THE SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE EXCLUSION OF DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND SURVIVES IN THE EVENT SUCH REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED UNENFORCEABLE. THESE LIMITATIONS AND EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE EXTENT SUCH EXCLUSION AND LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH ANY PART OF THESE TERMS OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS SUPPLIERS WITH RESPECT TO THESE TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SERVICES. Now that pretty iron-clad legally, I think, that no matter what you do, password or other-wise, they're not going to pay for it. Quite bottom-line, my way or the highway, especially that last clause... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297476 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
Oh, come on James! What's a little cannibalism between friends! :o) -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 6:44 PM To: CF-Talk Subject: Re: SSL Necessary? Important? Depending on local laws, there are some things to which you simply can't agree. For example, I can't agree that you can kill me and cook me for dinner tonight - in most locations you are still going to be charged with murder, no matter what agreements we had in place. On Jan 26, 2008 5:40 AM, Rick Faircloth [EMAIL PROTECTED] wrote: I agree to a point, Claude... you're right that anything can be overturned, but having a prior agreement is always good to have on your side in court. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297506 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Depending on local laws, there are some things to which you simply can't agree. For example, I can't agree that you can kill me and cook me for dinner tonight - in most locations you are still going to be charged with murder, no matter what agreements we had in place. On Jan 26, 2008 5:40 AM, Rick Faircloth [EMAIL PROTECTED] wrote: I agree to a point, Claude... you're right that anything can be overturned, but having a prior agreement is always good to have on your side in court. There would have to be gross negligence on a company's part to have the prior legal agreement ignored. I think everyone in our discussion is right, to a point. And, btw, I have no connection to Zillow.com. I just happened to be on that site when the question about liability came up. I will say that if I ever do get sued because passwords and usernames were stolen from my company and I lost a case because someone's bank account was drained because it used the same password and username, I would absolutely start forcing my passwords on everyone. To this point, I've had no problem. And we all try to balance user-friendliness and security. But someone is always being bitten. Everyone is just playing a game of Russian Roulette and hoping we're not the one facing a round in the chamber. Rick -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 1:36 PM To: CF-Talk Subject: Re: SSL Necessary? Important? IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES I'm sorry, but just from the very begining, this statement has absolutely no value. I hope you didn't pay a lawyer to write it. Nobody can state, in advance on not that he is not liable or responsible. ONLY a judge in court can make this decision, only based on facts. If you have been careless in an issue, EVEN if you warned the plaintiff that you are not liable, the judge can decide that you are responsible. The only utility of such notice is may be 1. to make unaware customers believe they can't go to court, 2. to make them do their part about security. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297497 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES I'm sorry, but just from the very begining, this statement has absolutely no value. I hope you didn't pay a lawyer to write it. Nobody can state, in advance on not that he is not liable or responsible. ONLY a judge in court can make this decision, only based on facts. If you have been careless in an issue, EVEN if you warned the plaintiff that you are not liable, the judge can decide that you are responsible. The only utility of such notice is may be 1. to make unaware customers believe they can't go to court, 2. to make them do their part about security. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297448 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
I can assure you that I'm not your wife and there are some areas where I'm very cut to the chase and other areas where I have learned to be more flexible I guess. :) On Jan 25, 2008 11:40 AM, Rick Faircloth wrote: You sound like my wife who's always telling me to be more civil and stop that my way or the highway kind of talk when I discuss issues. It's not that it's my way or the highway, I just tend to cut to the chase in getting to the bottom line and not phrasing my position very diplomatically. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297444 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Here's some of the Terms for use of Zillow.com... a Real Estate listing website. 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES ARISING OUT OF, BASED ON, OR RESULTING FROM THESE TERMS OF USE OR YOUR USE OF THE SERVICES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE EXCLUSION OF DAMAGES UNDER THIS PARAGRAPH IS INDEPENDENT OF YOUR EXCLUSIVE REMEDY AND SURVIVES IN THE EVENT SUCH REMEDY FAILS OF ITS ESSENTIAL PURPOSE OR IS OTHERWISE DEEMED UNENFORCEABLE. THESE LIMITATIONS AND EXCLUSIONS APPLY WITHOUT REGARD TO WHETHER THE DAMAGES ARISE FROM (A) BREACH OF CONTRACT, (B) BREACH OF WARRANTY, (C) NEGLIGENCE, OR (D) ANY OTHER CAUSE OF ACTION, TO THE EXTENT SUCH EXCLUSION AND LIMITATIONS ARE NOT PROHIBITED BY APPLICABLE LAW. IF YOU DO NOT AGREE WITH ANY PART OF THESE TERMS OF USE, OR YOU HAVE ANY DISPUTE OR CLAIM AGAINST ZILLOW.COM OR ITS SUPPLIERS WITH RESPECT TO THESE TERMS OF USE OR THE SERVICES, THEN YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SERVICES. Now that pretty iron-clad legally, I think, that no matter what you do, password or other-wise, they're not going to pay for it. Quite bottom-line, my way or the highway, especially that last clause... -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 11:04 AM To: CF-Talk Subject: Re: SSL Necessary? Important? Rick, I get it. I do. What I'm suggesting is instead of cramming down a password down the throat to use clearly written english description of what a STRONG password would be and to use validation to determine what's a strong / weak passwords. There's plenty of javascript / serverside validation methods for doing this, it doesn't take that long to write a custom one. I wrote a custom one that I thought was pretty good until I came across a password issue that I had to debug and during that time, I realized that the client was using their email address as a password so I beefed up my validation even more and wrote another bullet of you can't use (first name, last name, email address, phone number, etc). People do the damndest things and they don't think about their own security sometimes, but I would still rather write the rules up and enforce those rules than say my way or the highway. When I come across issues like that, I have a 2 simple little actions in my admin 1.) Force new password upon next login or 2.) Send new random strong password now and make them change it upon next login. I want them to be educated and use a strong password that they're going to remember and they're not going to write it down on a slip of paper because I won't let them change it otherwise. Anyway, we'll just agree to disagree. It's ok. Two very valid opinions. ~Todd On Jan 25, 2008 10:43 AM, Rick Faircloth [EMAIL PROTECTED] wrote: I don't see anywhere in those terms that a lawyer could *without a doubt* use to hold Google harmless if Google's servers were hacked (their fault) and a client's login info stolen and used to access a bank account. I think a jury would see Google as liable for their failed security. But I'm no lawyer... I do however, begin to get concerned when clients want their personal data secured that a weak password could come back to bite them and me as well. The weak password, it would seem to me, would have to be the result of a user's sole choice, bypassing all guidance and cautions that I provide, including a strong password option. It is an interesting discussion. As my clients become more widespread and less personal, the chance of lawsuits increases. Just want to protect my assets... Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297439 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
You sound like my wife who's always telling me to be more civil and stop that my way or the highway kind of talk when I discuss issues. It's not that it's my way or the highway, I just tend to cut to the chase in getting to the bottom line and not phrasing my position very diplomatically. Besides, I've only had half a cup of coffee this morning at this point. :o| (Aaarf!) Anyway, the problem with strong passwords is they're not easily, if at all, memorable. I'd rather a user have strong passwords, different ones for every instance where they need one, and write them down (preferably not on a post-it-note on the screen ;o) where they can access them, than to try to remember all the passwords they use, which can literally be hundreds, these days. The biggest danger is not when someone robs their home (don't put the bank account passwords on paper), but hackers gaining access via email snooping, intercepting data flow, or breaking into companies that maintain confidential data. At least if someone breaks into my home, I know that my passwords are compromised. If they just get the info from an online account, I wouldn't have a clue for awhile. Rick -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 11:04 AM To: CF-Talk Subject: Re: SSL Necessary? Important? Rick, I get it. I do. What I'm suggesting is instead of cramming down a password down the throat to use clearly written english description of what a STRONG password would be and to use validation to determine what's a strong / weak passwords. There's plenty of javascript / serverside validation methods for doing this, it doesn't take that long to write a custom one. I wrote a custom one that I thought was pretty good until I came across a password issue that I had to debug and during that time, I realized that the client was using their email address as a password so I beefed up my validation even more and wrote another bullet of you can't use (first name, last name, email address, phone number, etc). People do the damndest things and they don't think about their own security sometimes, but I would still rather write the rules up and enforce those rules than say my way or the highway. When I come across issues like that, I have a 2 simple little actions in my admin 1.) Force new password upon next login or 2.) Send new random strong password now and make them change it upon next login. I want them to be educated and use a strong password that they're going to remember and they're not going to write it down on a slip of paper because I won't let them change it otherwise. Anyway, we'll just agree to disagree. It's ok. Two very valid opinions. ~Todd On Jan 25, 2008 10:43 AM, Rick Faircloth [EMAIL PROTECTED] wrote: I don't see anywhere in those terms that a lawyer could *without a doubt* use to hold Google harmless if Google's servers were hacked (their fault) and a client's login info stolen and used to access a bank account. I think a jury would see Google as liable for their failed security. But I'm no lawyer... I do however, begin to get concerned when clients want their personal data secured that a weak password could come back to bite them and me as well. The weak password, it would seem to me, would have to be the result of a user's sole choice, bypassing all guidance and cautions that I provide, including a strong password option. It is an interesting discussion. As my clients become more widespread and less personal, the chance of lawsuits increases. Just want to protect my assets... Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297437 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
Rick, I get it. I do. What I'm suggesting is instead of cramming down a password down the throat to use clearly written english description of what a STRONG password would be and to use validation to determine what's a strong / weak passwords. There's plenty of javascript / serverside validation methods for doing this, it doesn't take that long to write a custom one. I wrote a custom one that I thought was pretty good until I came across a password issue that I had to debug and during that time, I realized that the client was using their email address as a password so I beefed up my validation even more and wrote another bullet of you can't use (first name, last name, email address, phone number, etc). People do the damndest things and they don't think about their own security sometimes, but I would still rather write the rules up and enforce those rules than say my way or the highway. When I come across issues like that, I have a 2 simple little actions in my admin 1.) Force new password upon next login or 2.) Send new random strong password now and make them change it upon next login. I want them to be educated and use a strong password that they're going to remember and they're not going to write it down on a slip of paper because I won't let them change it otherwise. Anyway, we'll just agree to disagree. It's ok. Two very valid opinions. ~Todd On Jan 25, 2008 10:43 AM, Rick Faircloth [EMAIL PROTECTED] wrote: I don't see anywhere in those terms that a lawyer could *without a doubt* use to hold Google harmless if Google's servers were hacked (their fault) and a client's login info stolen and used to access a bank account. I think a jury would see Google as liable for their failed security. But I'm no lawyer... I do however, begin to get concerned when clients want their personal data secured that a weak password could come back to bite them and me as well. The weak password, it would seem to me, would have to be the result of a user's sole choice, bypassing all guidance and cautions that I provide, including a strong password option. It is an interesting discussion. As my clients become more widespread and less personal, the chance of lawsuits increases. Just want to protect my assets... Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297427 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
Would you consider gmail to be pretty important if you used it daily like I do? Let's take a look at what Google says in their EULA: = 6. Your passwords and account security 6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services. 6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account. 6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at [snipped URL]. = I don't remember that gmail had very strict password rules. Yet their legalese basically negates the need since they pretty much label you responsible for everything that happens under your account. If my bank gets hacked because I use my same username / password as my gmail and it was obtained via gmail somehow, does that legalese mean Google is in the clear? ~Todd On Jan 25, 2008 9:17 AM, Rick Faircloth [EMAIL PROTECTED] wrote: Well, I was just kinda giving the bottom line. Of course, in the real world, a much kinder, gentler way of saying it would be appropriate. I can also compromise by letting you choose your password, but stipulate that it require one or more of certain characters, a mix of caps and lower case, etc., or I can allow you to choose your own password without any stipulations, but you have to sign a waiver holding me harmless. I don't see that as unreasonable. You get to decide how to handle your password, if you like, but you just can't blame me in the case of a poor choice which leads to your ruin. I'm not going down with you... I think that's fair. I'll be most EUA's have something like that buried in their legalize. Thoughts? Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297417 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Rick, is it really not possible to compromise? It's one thing to enforce and shove a password down my throat... it's something else to educate the end-user on what a strong password is. On Jan 25, 2008 8:46 AM, Rick Faircloth [EMAIL PROTECTED] wrote: No problem... if you won't let me choose your password to make sure you and I are both protected, then you have to agree not to hold me accountable for any problems that occur as a result of your weak password. Accept a strong password, or sign a waiver... simple. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297413 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
No problem... if you won't let me choose your password to make sure you and I are both protected, then you have to agree not to hold me accountable for any problems that occur as a result of your weak password. Accept a strong password, or sign a waiver... simple. -Original Message- From: Rick Root [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 8:20 AM To: CF-Talk Subject: Re: SSL Necessary? Important? On 1/24/08, Rick Faircloth [EMAIL PROTECTED] wrote: One solution that I have used is to allow users to choose their username, usually just their email address, but I force a very strong password on them generated with CF. Nothing annoys me more, personally, than a web site that won't let me choose my own password. Such sites are rare, thank god. But second on the list of annoying password things is password rules that don't make sense to me or seem random. One bank says your password cannot end in a number. Another says you have to have two numbers. Then you get the sites that don't LET you use special characters. That *REALLY* annoys me. Nothing worse than a web site that forces you to lower your password strength to fit their rules. And finally, I deal with one company that forces your password to all lower case. PSNC Energy does that. Incredibly lame. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297412 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On 1/24/08, Rick Faircloth [EMAIL PROTECTED] wrote: One solution that I have used is to allow users to choose their username, usually just their email address, but I force a very strong password on them generated with CF. Nothing annoys me more, personally, than a web site that won't let me choose my own password. Such sites are rare, thank god. But second on the list of annoying password things is password rules that don't make sense to me or seem random. One bank says your password cannot end in a number. Another says you have to have two numbers. Then you get the sites that don't LET you use special characters. That *REALLY* annoys me. Nothing worse than a web site that forces you to lower your password strength to fit their rules. And finally, I deal with one company that forces your password to all lower case. PSNC Energy does that. Incredibly lame. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297411 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
Well, I was just kinda giving the bottom line. Of course, in the real world, a much kinder, gentler way of saying it would be appropriate. I can also compromise by letting you choose your password, but stipulate that it require one or more of certain characters, a mix of caps and lower case, etc., or I can allow you to choose your own password without any stipulations, but you have to sign a waiver holding me harmless. I don't see that as unreasonable. You get to decide how to handle your password, if you like, but you just can't blame me in the case of a poor choice which leads to your ruin. I'm not going down with you... I think that's fair. I'll be most EUA's have something like that buried in their legalize. Thoughts? Rick -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 8:51 AM To: CF-Talk Subject: Re: SSL Necessary? Important? Rick, is it really not possible to compromise? It's one thing to enforce and shove a password down my throat... it's something else to educate the end-user on what a strong password is. On Jan 25, 2008 8:46 AM, Rick Faircloth [EMAIL PROTECTED] wrote: No problem... if you won't let me choose your password to make sure you and I are both protected, then you have to agree not to hold me accountable for any problems that occur as a result of your weak password. Accept a strong password, or sign a waiver... simple. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297415 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
I don't see anywhere in those terms that a lawyer could *without a doubt* use to hold Google harmless if Google's servers were hacked (their fault) and a client's login info stolen and used to access a bank account. I think a jury would see Google as liable for their failed security. But I'm no lawyer... I do however, begin to get concerned when clients want their personal data secured that a weak password could come back to bite them and me as well. The weak password, it would seem to me, would have to be the result of a user's sole choice, bypassing all guidance and cautions that I provide, including a strong password option. It is an interesting discussion. As my clients become more widespread and less personal, the chance of lawsuits increases. Just want to protect my assets... Rick -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 9:35 AM To: CF-Talk Subject: Re: SSL Necessary? Important? Would you consider gmail to be pretty important if you used it daily like I do? Let's take a look at what Google says in their EULA: = 6. Your passwords and account security 6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services. 6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account. 6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at [snipped URL]. = I don't remember that gmail had very strict password rules. Yet their legalese basically negates the need since they pretty much label you responsible for everything that happens under your account. If my bank gets hacked because I use my same username / password as my gmail and it was obtained via gmail somehow, does that legalese mean Google is in the clear? ~Todd On Jan 25, 2008 9:17 AM, Rick Faircloth [EMAIL PROTECTED] wrote: Well, I was just kinda giving the bottom line. Of course, in the real world, a much kinder, gentler way of saying it would be appropriate. I can also compromise by letting you choose your password, but stipulate that it require one or more of certain characters, a mix of caps and lower case, etc., or I can allow you to choose your own password without any stipulations, but you have to sign a waiver holding me harmless. I don't see that as unreasonable. You get to decide how to handle your password, if you like, but you just can't blame me in the case of a poor choice which leads to your ruin. I'm not going down with you... I think that's fair. I'll be most EUA's have something like that buried in their legalize. Thoughts? Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297424 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Here's some of the Terms for use of Zillow.com... a Real Estate listing website. 9. LIABILITY LIMITATION; EXCLUSIVE REMEDY. IN NO EVENT WILL ZILLOW.COM OR ANY SUPPLIER BE LIABLE FOR ANY DAMAGES ... Now that pretty iron-clad legally, I think, that no matter what you do, password or other-wise, they're not going to pay for it. Quite bottom-line, my way or the highway, especially that last clause... They can write whatever they want. That doesn't make it legally binding. If I recall correctly, you generally cannot limit liability in cases of negligence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
I don't think SSL is always necessary. It depends on the content. However, it is pretty common that many people use the same username and password for many different systems. For example, I may log in to my bank's web site using michael and password. The bank's web site is secure so I no worry. Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. So, although it's not necessary, in all cases, you are helping to protect information, indirectly. Certificates are pretty inexpensive considering the cost of the loss of trust from users. M!ke -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 7:45 PM To: CF-Talk Subject: OT: SSL Necessary? Important? Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297297 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. Ok, but it is not the church responsibility to protect you bank username and password. It's your problem. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297316 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On Jan 24, 2008 9:57 AM, Dawson, Michael [EMAIL PROTECTED] wrote: For example, I may log in to my bank's web site using michael and password. The bank's web site is secure so I no worry. Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. While I agree that account identifying information should be encrypted in the database, I don't agree that the church is responsible for the end user's stupidity of using the same username/password for every website out there. SSL for a church forum/cms login is overkill unless said church is accepting donations on the website. If they are, then they should be just as secured as any other merchant online. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297329 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Very true... thanks, Michael. Rick -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 9:58 AM To: CF-Talk Subject: RE: SSL Necessary? Important? I don't think SSL is always necessary. It depends on the content. However, it is pretty common that many people use the same username and password for many different systems. For example, I may log in to my bank's web site using michael and password. The bank's web site is secure so I no worry. Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. So, although it's not necessary, in all cases, you are helping to protect information, indirectly. Certificates are pretty inexpensive considering the cost of the loss of trust from users. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297326 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
While I agree that account identifying information should be encrypted in the database, I don't agree that the church is responsible for the end user's stupidity of using the same username/password for every website out there. I agree, but tell this to all of the non-techies out there. We run across tons of secretaries who use their work user name for their personal web sites. They just don't quite understand the separation between web sites. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297342 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
o_O Mike, if your bank account gets hacked dude because YOU used the same username/password for every site the only person to blame here is YOU. I'm sorry, but this thinking is just way backwards. Should the church also be responsible if someone stole your ATM card and the PIN number just happened to be the same as your password?! YOU made the mistake, not the church. I'm *in agreement *that account identity information needs to be encrypted in the database. On Jan 24, 2008 1:23 PM, Dawson, Michael [EMAIL PROTECTED] wrote: It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On 1/24/08, Todd [EMAIL PROTECTED] wrote: While I agree that account identifying information should be encrypted in the database, I don't agree that the church is responsible for the end user's stupidity of using the same username/password for every website out there. I would agree, I use special passwords for any of my accounts that involve credit cards, banks, etc I also use special passwords for my email accounts. then I don't worry about an unscrupulous web site manager running a church web site using the password I give the site for anything important. In a world of paranoia, SSL is *NEVER* overkill for protecting logins of any kind. But sometimes, it's easy to decide that it's not worth the $25/year - though that's really a small price to pay). -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. M!ke -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 10:21 AM To: CF-Talk Subject: Re: SSL Necessary? Important? Then, I sign up for your church's web site and use the same username and password combination. Now, if someone sniffs that unsecured connection, they now have my bank username and password. Ok, but it is not the church responsibility to protect you bank username and password. It's your problem. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297335 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
You are missing my point. I'm not saying a person is not responsible for their own credentials, however, you know how the media is. My original point was that it is too inexpensive NOT to secure the information. Especially, to protect dummy people from themselves. I care about the other guy even if the other guy gots not smarts. M!ke -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 1:58 PM To: CF-Talk Subject: Re: SSL Necessary? Important? o_O Mike, if your bank account gets hacked dude because YOU used the same username/password for every site the only person to blame here is YOU. I'm sorry, but this thinking is just way backwards. Should the church also be responsible if someone stole your ATM card and the PIN number just happened to be the same as your password?! YOU made the mistake, not the church. I'm *in agreement *that account identity information needs to be encrypted in the database. On Jan 24, 2008 1:23 PM, Dawson, Michael [EMAIL PROTECTED] wrote: It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297349 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
Yeah, I will agree with that. I'm two minds of this apparently. It's one thing if a simple forum has my username/password stolen, quite something different if my SSN was stolen. My co-worker gave the argument that if a username/password can be traced back to you and additional information can be gleamed and they can figure out your bank and manage to log in because your username/password was the same, then it's the original site that lost the data fault. My counterpoint was, If I let you borrow my car and I happened to give you my entire keyring instead of just giving you the keys to the car, was it your fault or mine when you got mugged and the keys (password) were taken from you (by a hacker) my car (data) got stolen and oh, by the way, now my house ( the bank ) got robbed? In my opinion, We were both at fault there. I stupidly gave you my entire keyring and you lost it/got mugged/whatever. I do understand what you are saying. I agree that personal identifying information needs to be encrypted and secured. SSL (or TSL or whatever the hell you want to call it now) is an extra layer. Does SSL belong on a simple forum? Not sure. Does it belong on a site that is doing any kind of transactions? Certainly. I think adding a robust privacy policies and terms of agreements are a good thing as well. Ensuring the end user that the data is encrypted and laying down exactly what you're responsible for. It's one thing for data to be compromised on your website, something entirely different when the end user didn't secure themselves by using the same username/password and now their bank got cleaned out. Maybe we all take information for granted for how freely its flowing out there? I may have to rethink all this... I have no idea anymore. I argued myself into a circle. ;) On Jan 24, 2008 3:57 PM, Dawson, Michael [EMAIL PROTECTED] wrote: You are missing my point. I'm not saying a person is not responsible for their own credentials, however, you know how the media is. My original point was that it is too inexpensive NOT to secure the information. Especially, to protect dummy people from themselves. I care about the other guy even if the other guy gots not smarts. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Necessary? Important?
One solution that I have used is to allow users to choose their username, usually just their email address, but I force a very strong password on them generated with CF. I can control the parameters of the password and what characters are used as well as what length it is. They may not like it, but it's for their protection and mine. And if they forget that password, the system simply issues another equally strong one. Rick -Original Message- From: Todd [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 2:58 PM To: CF-Talk Subject: Re: SSL Necessary? Important? o_O Mike, if your bank account gets hacked dude because YOU used the same username/password for every site the only person to blame here is YOU. I'm sorry, but this thinking is just way backwards. Should the church also be responsible if someone stole your ATM card and the PIN number just happened to be the same as your password?! YOU made the mistake, not the church. I'm *in agreement *that account identity information needs to be encrypted in the database. On Jan 24, 2008 1:23 PM, Dawson, Michael [EMAIL PROTECTED] wrote: It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. M!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
In a world of paranoia, SSL is *NEVER* overkill for protecting logins of any kind. provided you assume paranoia... -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
On 1/24/08, Dawson, Michael [EMAIL PROTECTED] wrote: It doesn't matter whose responsibility it is. If a bank account gets hacked because of the church's web site, it will hurt the credibility of the church. Yeah but God will protect them from that. Damn, now I'm going to hell. -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? The security risk is probably acceptable for your client, even if they don't know that. However, it's so cheap to use SSL that you might as well do that instead. Is it easy to hack without SSL? SSL/TLS prevents third parties from being able to read traffic between the two endpoints of an encrypted conversation - the browser and the server. It doesn't prevent the client from hacking anything, and that may be a more serious concern. It is very easy to read plaintext data if you're on the same network segment as an unencrypted conversation. If you go down to your local coffee shop and use the free wifi, you can easily read data from other users who aren't using SSL/TLS or tunnelling all their traffic through a VPN or SSH connection. For example, I give you the wall of sheep: http://blog.makezine.com/archive/2005/07/_defcon_the_wal.html But, to see this data, you have to be on the same network segment, which limits the scope of any surveillance quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297382 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
umm sha i meant Will is trying to make fun of u (yes again) but the way I look at it at least you have more than 1 client, he can't say that :) You can use ssl on there with no big deal. If you aren't encrypting your passwords then sure it could be a big deal if someone gets ahold of their username and password and it happens to also unlock.. say their bank account which the people find. generally a good sla 256 hashing is good but if they ask you for ssl then give then ssl to cover your arse. Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297246 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Will is trying to make fun of u (yes again) but the way I look at it at least you have more than 1 client, he can't say that :) You can use ssl on there with no big deal. If you aren't encrypting your passwords then sure it could be a big deal if someone gets ahold of their username and password and it happens to also unlock.. say their bank account which the people find. generally a good sla 256 hashing is good but if they ask you for ssl then give then ssl to cover your arse. Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297245 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Necessary? Important?
lol, so prove me wrong!!! captain lady killer ;)~ Rick, Don't believe anything dave says. He's just disrupting again. Anyway, do *I* look like I would make fun of you? :) Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297255 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Necessary? Important?
sla 256 hashing I know I'm generally behind the times, so I thought maybe that was some new encryption technology. ;o) Will is trying to make fun of u (yes again) I feel honored to garner such attention from Will... however, I didn't see a message from him. Maybe it'll come in soon. Wouldn't want to miss it, you know! -Original Message- From: Dave l [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 8:54 PM To: CF-Talk Subject: Re: SSL Necessary? Important? umm sha i meant Will is trying to make fun of u (yes again) but the way I look at it at least you have more than 1 client, he can't say that :) You can use ssl on there with no big deal. If you aren't encrypting your passwords then sure it could be a big deal if someone gets ahold of their username and password and it happens to also unlock.. say their bank account which the people find. generally a good sla 256 hashing is good but if they ask you for ssl then give then ssl to cover your arse. Hi, all. Pardon a quick OT question (or two). I have a client (church) that wants to have a directory that is accessible to the membership, but not the general public. Access will be controlled by password/username login. But the church is also asking about an encrypted connection using an SSL certificate. Is the SSL encryption overkill for something like this? Or would it be advisable? How big a security risk is there for personal info like this? Is it easy to hack without SSL? Thanks for any feedback. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297260 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Necessary? Important?
Rick, Don't believe anything dave says. He's just disrupting again. Anyway, do *I* look like I would make fun of you? :) Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297254 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Installation
Check the port. Something like this: cfif cgi.server_port neq 443 cflocation url=https://www.domain.com; /cfif HTH Marius Milosav ScorpioSoft Corp. www.scorpiosoft.com -Original Message- From: Robert Rawlins - Think Blue [mailto:[EMAIL PROTECTED] Sent: June 21, 2007 5:26 PM To: CF-Talk Subject: SSL Installation Hello Guys, I kind of feel a little silly asking this, but net admin never was my strong point... I've now installed my shiny new ssl certificate and it seems to work just lovely, if I browse the https:// address then I get the little lock and all that jazz, now, how do i button down the hatches so the https:// version is the only version accessibly on my site? I'm running win2k3 and IIS6. Thanks for any advice, a quick one would be really great, its 10.30pm and I'm still in the office lol Thanks, Rob ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281877 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Installation
Disable port 80 listening :-) This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Robert Rawlins - Think Blue To: CF-Talk Sent: Thu Jun 21 22:25:53 2007 Subject: SSL Installation Hello Guys, I kind of feel a little silly asking this, but net admin never was my strong point... I've now installed my shiny new ssl certificate and it seems to work just lovely, if I browse the https:// address then I get the little lock and all that jazz, now, how do i button down the hatches so the https:// version is the only version accessibly on my site? I'm running win2k3 and IIS6. Thanks for any advice, a quick one would be really great, its 10.30pm and I'm still in the office lol Thanks, Rob ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281878 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Installation
This is off the top of my head but in CF you can do: cfif *cgi.HTTPS* EQ off cflocation url=https://blah.com; /cfif On 6/21/07, Robert Rawlins - Think Blue [EMAIL PROTECTED] wrote: Hello Guys, I kind of feel a little silly asking this, but net admin never was my strong point... I've now installed my shiny new ssl certificate and it seems to work just lovely, if I browse the https:// address then I get the little lock and all that jazz, now, how do i button down the hatches so the https:// version is the only version accessibly on my site? I'm running win2k3 and IIS6. Thanks for any advice, a quick one would be really great, its 10.30pm and I'm still in the office lol Thanks, Rob ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281848 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Installation
I've now installed my shiny new ssl certificate and it seems to work just lovely, if I browse the https:// address then I get the little lock and all that jazz, now, how do i button down the hatches so the https:// version is the only version accessibly on my site? I'm running win2k3 and IIS6. In IIS, you can configure your web site properties to require SSL. It's pretty easy to find in there. If you do this, visitors who attempt to connect with HTTP will receive an error from the web server. Alternatively, you can look at the appropriate CGI variable in Application.cfm/cfc (CFDUMP will show you this) and use CFLOCATION if necessary. This will be comparatively seamless to the user. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281859 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Installation
The proper way to do this is to use a rewrite rule with something like ISAPI rewrite. Another way to do this would be to configure another virtual site on port 80 that redirects to https, and take port 80 off of this virtual site. Russ -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, June 21, 2007 8:45 PM To: CF-Talk Subject: RE: SSL Installation I've now installed my shiny new ssl certificate and it seems to work just lovely, if I browse the https:// address then I get the little lock and all that jazz, now, how do i button down the hatches so the https:// version is the only version accessibly on my site? I'm running win2k3 and IIS6. In IIS, you can configure your web site properties to require SSL. It's pretty easy to find in there. If you do this, visitors who attempt to connect with HTTP will receive an error from the web server. Alternatively, you can look at the appropriate CGI variable in Application.cfm/cfc (CFDUMP will show you this) and use CFLOCATION if necessary. This will be comparatively seamless to the user. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281868 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Domain redirect without error message
Victor, If you do have access to the web server's configuration, why not define a site called https://xyzdomain.com and then have a single page in the home directory there that redirects to the correct site: https://www.xyzdomain.com? I usually have a single such directory that I have all such sites point to and there I have a index.cfm page that essentially has this code: cfif ListFirst(CGI.HTTP_HOST,.) NEQ www cflocation url=https://www.#CGI.HTTP_HOST#') addtoken=No /cfif or some similar type of code. Other people may have better solutions though. HTH George On 4/17/07, Victor Moore [EMAIL PROTECTED] wrote: Hi, I have the following scenario: site: https://www.xyzdomain.com has a valid SSL certificate if users type https://xyzdomain.com they get invalid cert error. What is the best way to do a redirect (from https://xyzdomain.com to https://www.xyzdomain.com https://xyzdomain.com/ ) without getting an error. One possible solution (I think) is to have a redirect file (basically a js script) and then pointing the 403.4 message to this file (not tested yet). Are there any other solutions? Thanks Victor ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275586 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Domain redirect without error message
Hi George, Thank you for your response. Unfortunately it won't work (as far as I can tell). I am ding a redirection now, but the message pops up before the redirection occurs. Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ Thanks Victor On 4/17/07, George Abraham [EMAIL PROTECTED] wrote: Victor, If you do have access to the web server's configuration, why not define a site called https://xyzdomain.com and then have a single page in the home directory there that redirects to the correct site: https://www.xyzdomain.com? I usually have a single such directory that I have all such sites point to and there I have a index.cfm page that essentially has this code: cfif ListFirst(CGI.HTTP_HOST,.) NEQ www cflocation url=https://www.#CGI.HTTP_HOST#') addtoken=No /cfif or some similar type of code. Other people may have better solutions though. HTH George ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275589 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Domain redirect without error message
Hmm, that is true, the middle site would also have to have the SSL cert cover it. George On 4/17/07, Victor Moore [EMAIL PROTECTED] wrote: Hi George, Thank you for your response. Unfortunately it won't work (as far as I can tell). I am ding a redirection now, but the message pops up before the redirection occurs. Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ Thanks Victor On 4/17/07, George Abraham [EMAIL PROTECTED] wrote: Victor, If you do have access to the web server's configuration, why not define a site called https://xyzdomain.com and then have a single page in the home directory there that redirects to the correct site: https://www.xyzdomain.com? I usually have a single such directory that I have all such sites point to and there I have a index.cfm page that essentially has this code: cfif ListFirst(CGI.HTTP_HOST,.) NEQ www cflocation url=https://www.#CGI.HTTP_HOST#') addtoken=No /cfif or some similar type of code. Other people may have better solutions though. HTH George ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275595 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Domain redirect without error message
You know, the best thing to do might be to give them a domain not found error when they enter in xyzdomain.com. That way, they do recheck the address. George On 4/17/07, George Abraham [EMAIL PROTECTED] wrote: Hmm, that is true, the middle site would also have to have the SSL cert cover it. George On 4/17/07, Victor Moore [EMAIL PROTECTED] wrote: Hi George, Thank you for your response. Unfortunately it won't work (as far as I can tell). I am ding a redirection now, but the message pops up before the redirection occurs. Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ Thanks Victor On 4/17/07, George Abraham [EMAIL PROTECTED] wrote: Victor, If you do have access to the web server's configuration, why not define a site called https://xyzdomain.com and then have a single page in the home directory there that redirects to the correct site: https://www.xyzdomain.com ? I usually have a single such directory that I have all such sites point to and there I have a index.cfm page that essentially has this code: cfif ListFirst(CGI.HTTP_HOST,.) NEQ www cflocation url=https://www.#CGI.HTTP_HOST#'https://www.#CGI.HTTP_HOST%23%27) addtoken=No /cfif or some similar type of code. Other people may have better solutions though. HTH George ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275596 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SSL Domain redirect without error message
You would need to do this at the web server level. Are you running Apache or IIS? If you're running Apache, I could give you some code that would do this for you. ;) If you're running IIS, Google for information on setting up a 301 redirect. Because this redirection is done at the web server level (as opposed to sending something to the client machine like a CFLOCATION would do) I'm 95% sure that this will give you a redirect without an error message. The CFLOCATION (or javascript, or whatever) requires the web server to send a response back to the client. This will result in the SSL error which you're trying to avoid. Hope this helps! Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ BlueDragon Alliance Member [EMAIL PROTECTED] Victor Moore wrote: Hi, I have the following scenario: site: https://www.xyzdomain.com has a valid SSL certificate if users type https://xyzdomain.com they get invalid cert error. What is the best way to do a redirect (from https://xyzdomain.com to https://www.xyzdomain.com https://xyzdomain.com/ ) without getting an error. One possible solution (I think) is to have a redirect file (basically a js script) and then pointing the 403.4 message to this file (not tested yet). Are there any other solutions? Thanks Victor ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275600 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Domain redirect without error message
I have a certificate on my basketbasics.com account (in that name). I
use a javascript redirect in the root that redirects either
basketbasics.com or www.basketbasics.com and it works okay for me. (See
below) I don't know if how the certificate is installed is a function of
this or not.
script language=JavaScript
!--
s = location.search;
if ( location.hostname.toLowerCase() == www.basketbasics.com ) {
window.location =
https://BasketBasics.com/BasketBasics/index.html; + s;
} else if ( location.hostname.toLowerCase() == basketbasics.com ) {
window.location =
https://BasketBasics.com/BasketBasics/index.html; + s;
} else if ( location.hostname.toLowerCase() ==
www.indiancreekbluegrass.com ) {
window.location =
http://www.IndianCreekBluegrass.com/IndianCreekBluegrass/index.html; +
s;
} else if ( location.hostname.toLowerCase() ==
indiancreekbluegrass.com ) {
window.location =
http://www.IndianCreekBluegrass.com/IndianCreekBluegrass/index.html; +
s;
And so on. I have several domain names pointed here and this script
processes all of them in the same manner with an else statement at the
end that is blank, i.e., the webserver serves up the text in the file
holding this code (index.html in the root).
If it's not obvious, the Basketbasics.com redirects right back to the
root again (using the name on the certificate) and the rest takes them
to the proper directory.
-Original Message-
From: Victor Moore [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 17, 2007 10:15 AM
To: CF-Talk
Subject: SSL Domain redirect without error message
Hi,
I have the following scenario:
site: https://www.xyzdomain.com has a valid SSL certificate if users
type https://xyzdomain.com they get invalid cert error.
What is the best way to do a redirect (from https://xyzdomain.com to
https://www.xyzdomain.com https://xyzdomain.com/ ) without getting an
error.
One possible solution (I think) is to have a redirect file (basically a
js
script) and then pointing the 403.4 message to this file (not tested
yet).
Are there any other solutions?
Thanks
Victor
~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 MX7 integration create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275605
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Domain redirect without error message
Hi Stephens,
I'm afraid this won't work either. Your SSL certificate is for
basketbasics.com domain.
if you type https://www.basketbasics.com you will get a browser notification
message and thinking about the purpose of a SSL certificate it makes sense.
Thanks
Victor
On 4/17/07, Stephens, Larry V [EMAIL PROTECTED] wrote:
I have a certificate on my basketbasics.com account (in that name). I
use a javascript redirect in the root that redirects either
basketbasics.com or www.basketbasics.com and it works okay for me. (See
below) I don't know if how the certificate is installed is a function of
this or not.
script language=JavaScript
!--
s = location.search;
if ( location.hostname.toLowerCase() == www.basketbasics.com ) {
window.location =
https://BasketBasics.com/BasketBasics/index.html; + s;
} else if ( location.hostname.toLowerCase() == basketbasics.com ) {
window.location =
https://BasketBasics.com/BasketBasics/index.html; + s;
} else if ( location.hostname.toLowerCase() ==
www.indiancreekbluegrass.com ) {
window.location =
http://www.IndianCreekBluegrass.com/IndianCreekBluegrass/index.html; +
s;
} else if ( location.hostname.toLowerCase() ==
indiancreekbluegrass.com ) {
window.location =
http://www.IndianCreekBluegrass.com/IndianCreekBluegrass/index.html; +
s;
And so on. I have several domain names pointed here and this script
processes all of them in the same manner with an else statement at the
end that is blank, i.e., the webserver serves up the text in the file
holding this code (index.html in the root).
If it's not obvious, the Basketbasics.com redirects right back to the
root again (using the name on the certificate) and the rest takes them
to the proper directory.
~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 MX7 integration create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275639
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SSL Domain redirect without error message
You would need to do this at the web server level. Are you running Apache or IIS? If you're running Apache, I could give you some code that would do this for you. ;) If you're running IIS, Google for information on setting up a 301 redirect. Because this redirection is done at the web server level (as opposed to sending something to the client machine like a CFLOCATION would do) I'm 95% sure that this will give you a redirect without an error message. The CFLOCATION (or javascript, or whatever) requires the web server to send a response back to the client. This will result in the SSL error which you're trying to avoid. I don't think that would work, either. The client will check the server's certificate for validity before any response is sent to the client; in fact, before the HTTP request is actually made by the client. Only after the SSL handshake is successful, does any actual request data get sent to the server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275648 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Domain redirect without error message
Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ You're not doing anything wrong, and that's exactly what you'll have to do if you want people to be able to use either host name. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275649 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL Domain redirect without error message
Thanks Dave, Like always you are right. As per my previous email, I think it's working the way it should and the certificate is given for certain domain and one shouldn't be able to change it willy nilly. It will defeat the purpose Thanks Victor On 4/17/07, Dave Watts [EMAIL PROTECTED] wrote: Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ You're not doing anything wrong, and that's exactly what you'll have to do if you want people to be able to use either host name. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275651 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Domain redirect without error message
Like always you are right. I wish. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275652 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SSL Domain redirect without error message
-Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 7:49 PM To: CF-Talk Subject: RE: SSL Domain redirect without error message Either I'm doing something wrong or the only way to do it is to get a wild card ssl certificate that covers both domains : www.xyzdomain.com and xyzdomain.com https://www.xyzdomain.com/ You're not doing anything wrong, and that's exactly what you'll have to do if you want people to be able to use either host name. While I'm not sure if this is the correct solution, but I will defer to Dave on this, I don't think you need a wild card SSL certificate. Considering the pricing I've seen, it's not worth it to get a wildcard certificate for just two subdomains. It would make sense to get a separate certificate for each. Considering the pricing of the SSL certificates at GoDaddy or through my site at X-Registrar.com/SSL ($20/yr for single certificate, $200/yr for wildcard), it's a no-brainer to pick up an extra SSL certificate, if just to make the warning go away. Russ ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275654 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and Flash
Well 443 is the SSL port. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matthew Irwin To: CF-Talk Sent: Fri Dec 01 19:06:24 2006 Subject: SSL and Flash I' am trying to use flash 8 and every time when try to pull up the flash form ina secured sockets it will not come up but if i do it ouside of a ssl then it will. is there a prot that i need to allow? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262522 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and Flash
Well 443 is the SSL port. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matthew Irwin To: CF-Talk Sent: Fri Dec 01 19:06:24 2006 Subject: SSL and Flash I' am trying to use flash 8 and every time when try to pull up the flash form ina secured sockets it will not come up but if i do it ouside of a ssl then it will. is there a prot that i need to allow? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262526 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SSL and Flash
I understand that an that port is open. But would you know as to why my Flash Forms will not appear unless I put it under a vitual directery that is not SSL. Is there a setting in Cold Fusion I am missing? Thanks Well 443 is the SSL port. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matthew Irwin To: CF-Talk Sent: Fri Dec 01 19:06:24 2006 Subject: SSL and Flash I' am trying to use flash 8 and every time when try to pull up the flash form ina secured sockets it will not come up but if i do it ouside of a ssl then it will. is there a prot that i need to allow? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262529 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
