Archive for the ‘Security’ Category

Forcing SSL for a website in IIS6 the easy way

Monday, September 7th, 2009

Recently our KashGuard project, a user permissions add in for KashFlow, required that we force the use of SSL so that our customer’s sensitive data would be safe in transit over the Internet.

We needed to ensure that all data sent over https://secure.kashguard.co.uk was encrypted but we also needed to have an automatic and graceful redirect should someone try to use regular http.  So what do we do?  We could have added code to all of our pages, or to our base page, or in the global events, to check if https was used, and if not then issue a redirect to https — you could, but we wouldn’t.  Why not?  This required a code change specifically to force SSL which would make it harder for our developers to run the site on their local machines when debugging.  It would also make it harder for us to disable SSL should we have any need to.  Finally it would ignore any non ASP.Net files that we may want to protect with SSL.

So we decided on a very simple IIS trick using host headers and two websites.  Here’s how:

  1. We created two sites in IIS, one is configured to use port 80, the other is configured to use port 443 for SSL.
  2. The site we created to use port 80 was configured on the Home Directory tab to perform a redirect to https://secure.kashguard.co.uk.  To do this we selected the “A redirection to a URL” option and entered https://secure.kashguard.co.uk in the “Redirect to” box.  We also ticked “A permanent redirection for this resource” which tells search engines that it should not index the non SSL website.

Now any traffic attempting to come in from port 80 is permanently redirected to the actual site on the 443 port.  This avoids placing scripts in a site and took five minutes to implement.  Simples!

Tags: , ,
Posted in Development, SaaS, Security | 2 Comments »

Email Security and the peace of mind it brings

Wednesday, August 12th, 2009

What is Email Security and why should I do it?

In the current climate it has never been more important to protect everything you do on the web. Online shopping and banking are two very good examples of when you need to be extra careful when giving out your details, and why should emails be any different?

Emails can contain very sensitive and personal information that you may not want others to see. However it’s possible to encrypt your e-mail by digitally signing the content. Sending an unencrypted email is like sending a post card written in pencil (Comodo Email Security explains).  Anybody can change the content.

How do I get an Email Certificate?

Comodo, suppliers of both Email and SSL certificates, are offering a FREE email certificate for personal use only. With this certificate you digitally sign every email you send as well as encrypting them, preventing them from being externally accessed by third parties. To get your free certificate simply choose your operating system from the drop down list on the download page on the Comodo website and press download. A word of warning however, we found that downloading the certificate in Firefox caused some issues so to be safe use Internet Explorer.

How do I install the certificate?

For Microsoft Outlook 2007 once you have downloaded the certificate open up your email client and head to Tools > Trust Center > Email Security. Browse for the certificate you have just downloaded and enable it. It’s that easy!  These steps will vary slightly for other e-mail clients.

You can check to ensure your e-mails are now secure by checking your Sent Items as your outgoing mail will now have a small certificate icon:

secure-mail

Tags: ,
Posted in Security, Web | No Comments »

Bookmark and Share

Copyright © Atlas Computer Systems 2003-2010. All Rights Reserved.

Website designed and developed by Atlas Computer Systems.