Help - ASP and Cryptosystem (SSL/no-SSL)

[rubyknight]

Hi all, I'm new to this forum, peace.Intro:For the past few years I've made several ASP/MSSQL on-line database programs, and always stucked with security problem. One of my computer is running LAN (both wired and WiFi) Windows 2003 Server Standard version, running WEB, FTP, and Media services (no DNS, no Active Server)Problem:My low-end workstation can't handle being an Active Server, thus can't be a CA (Certificate Authority), which is needed by a Web Server with SSL function.Question:1. Have I been misguided about the relationship between Active Server, CA, SSL, and ASP?2. Is there another way to activate SSL with a "virtual" stand-alone CA?3. Is putting a public account details (username and password) in a File Include a good idea? (I've made the password into a complete mp3 file-name, just a small and probably worthless one)Thank you.

[justsomeguy]

I'm not sure if you can set up a computer to act as a CA or not. I was under the impression that a CA is something like verisign.com that you purchase the certificate from. I thought the whole point was that the CA needs to be a public, trusted entity, not another computer on the same network as the server. I might be wrong about that though, about all I've done with SSL is to install a certificate on a Windows server.Storing sensitive information in a file is fine as long as the file cannot be accessed from the public side. If you can pull up the file in a web browser, then you need to consider that a major security threat. You need to deny access to that file from the public, whether that means password protecting the file itself, the entire folder it is in, or moving it out of the web folder altogether. You can also store the password in an ecrypted format, but really you don't even want to give the public access to the encrypted version. Having an obscure filename is not a preventative measure if the file contains sensitive information and is publicly available. This is one of the reasons why people store information in databases.

[rubyknight]

Thanks.Originally the problem started from database tables that consist of information shared by public, like e-mail INBOX or ACCOUNTS information. Obviously I don't want them to be accessible by many users with write permissions. So I use another account for public access, then this account information (username and password) I put in the #include file.I agree, masking the account information by pretense of an mp3 song file-name is not a good idea. Most intruders would know where to look first. And yes, the #include file is accessible, but denying them from internet users will not allow the file to be used as it supposed to, isn't it?Is there a way to make the variables inside #include file available to ASP/HTML but NOT available when pulled directly by internet users?Hmmm... so I take it there is no way to create a CA server without having to install Active Server service? 'cause having Active Server and a few other services will greatly increase the burden for my workstation (pretending to be server).I'm so worried about this basic security, since all my e-commerce programs have this loopholes.

[justsomeguy]

The best thing to do would be to use a database for user authentication. If you can't do that, then you need to secure the file. Try to lock down the file and see what happens, see if you can still access it.You could also just make the include file an ASP file. If it is an ASP file, then the browser wouldn't show the code.

<%username = "123"password = "xyz"%>

[rubyknight]

Thanks again.Last time I tried taking away the file access permission for that include file, it couldn't be used by the web-application service as well... but I could have missed something... I'll try again later and be sure.Is there a program that can brute-force steal all sessions and their values? If so, then putting username and password for public SQL access might be risky too...What do you think about putting username and password in sessions? What are the ups or downs?Actually, this puts me back to the start... What is the best practice for storing public access username and password for internet users through ASP to SQL server?I'm sorry if I'm making a mess... but thanks.

[justsomeguy]

If you are talking about temporary storage, i.e. when the user closes their browser the values are lost, then the session is fine. If you are storing configuration settings for your application, put them in an ASP file. But I'm a little confused by what you mean here:

What is the best practice for storing public access username and password for internet users through ASP to SQL server?

[rubyknight]

>What is the best practice for storing public access username and password for internet users through ASP to SQL server?Hi again, and thanks for being patience with my questions.In some cases, I use one SQL account (username/password) for everybody for certain SQL/ASP tasks, and I have been keeping this account information in separate ASA and Include File/s--is that the best solution?Plus, I was thinking of putting that purpose completely in the single ASA file--is that better than above solution in terms of security?

[justsomeguy]

In terms of security, either is fine.