Regarding SSL
Hi All,
I have one site which is SSL enabled,now Iam deploying one application to the same SSL enabled server .The Application requires financial matter file uploading and downloading facility other than querying some financial data.
Now my question::
1. As my site is SSL enabled do I have to purchase a Digital Certificate for file uploading application ?As what I am planning is I will provide the SHA/MD5 signature alonside the file to be downloaded and the client who logs in with username and password can verify the same at their end.Also the transaction is secured as it is https.
so do I have to purchase a Digital Cert. ?
Also Iam not issuing any certificate to client.
Will the above idea work securely?
Please guide me.
Thanks in advance.
[805 byte] By [
Innovaa] at [2007-10-3 9:23:32]
A certificate is required per SSL server host, and apparently you already have that. You don't need a cert per servlet, or per server application, or whatever it is you're deploying at the server end.
As for whether the above idea will work securely, first define 'securely'.
If the server doesn't need to authenticate the client, and if the clients authenticate the server during the connection process to ensure that they are connected to who they think they are connected to, the clients will receive data that can validly be ascribed as originating at that server.
If you're uploading financial data from the client to the server I personally would want client authentication as well, but it all depends on your security requirements, which you haven't stated.
ejpa at 2007-7-15 4:37:21 >
Thanks ejp
Actually I was planning to authenticate the clients by username and password as the registration process is not going to be like normal registration in sites.The clients registers and then they have to send some proof docs of their authenticity to us and then if OK their login will be activated ...so I feel we have got control over registration process as the users are not going to be masses but Financial Institutions and when they login to our SSL enabled site they will upload files containing financial data and I feel all these will take place through https so it will be secured transaction.
Also the clients will be downloading files from our site and we will be not sending any files to them...Considering all these facts can you suggest my above idea(main post) will work for me.
Thanks in advance
> Actually I was planning to authenticate the clients
> by username and password as the registration process
> is not going to be like normal registration in
> sites.The clients registers and then they have to
> send some proof docs of their authenticity to us and
> then if OK their login will be activated ...so I feel
> we have got control over registration process as the
> users are not going to be masses but Financial
> Institutions and when they login to our SSL enabled
> site they will upload files containing financial data
> and I feel all these will take place through https so
> it will be secured transaction.
That's OK as long as you don't need non-repudiation. If you need non-repudiation, you will need to issue them with a certificate as part of the offline registration process; you will need to set needClientAuth at the server; and you will need to log the peer certificate at the server during each SSL connection formation.
> Also the clients will be downloading files from our
> site and we will be not sending any files to
> them
What is the difference?
I can't advise you what your own security requirements are. Only your business and your legal counsel can do that. Once you have defined the requirements the implementation follows, but don't put the cart before the horse. All I will say is that if you're accepting or providing financial information that's going to be relied on in the legal sense, I would be amazed if you didn't have a strong legal requirement for non-repudiability.
ejpa at 2007-7-15 4:37:22 >
