Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

PortalWebHosting
  Ads  
Iron Speed Designer is a software development tool for building database, reporting, and forms applications for .NET without hand-coding.
 


  Sponsors  

Meet Our Sponsors

SmarterTools
Verndale
The Official Microsoft ASP.NET Website
Portal Webhosting - Hosting For Developers
Red-Gate Software
MaximumASP
 


DotNetNuke Forums
 
  Forum  DotNetNuke® Pro...  ClientAPI Compo...  Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?
Previous Previous
 
Next Next
New Post 6/7/2008 2:24 AM
User is offline iadalang
81 posts
10th Ranked


Re: Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password? 

Hi Brandon,

With regard to my site, some of the issues may be easily circumvented as I will be having only the 2 necessary accounts and none other. With regard to hosting, however, my hands are tied-as this is a Government site and the only way we can host it is on NIC servers (www.nic.in) and all sites hosted there have to go thru an internal security audit and get thru that hurdle before they can be hosted. The methodology being adopted for the audit is as per OWASP top ten (www.owasp.org). Hopefully, this information would have given you a clearer picture of my situation.

Anyway, thank you for ALL of your responses. They've cleared up lots of doubts and I can assure you, once I implement your suggestions and my site gets thru internal security audit the next time around, the beer I owe you would never have been forgotten. But of course, I will need your postal address!
 
New Post 6/7/2008 8:09 AM
User is offline Brandon Haynes
701 posts
brandonhaynes.org
7th Ranked


Re: Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password? 

I guess all along I assumed that this was a personal installation, or perhaps for a business on a shoestring budget.  The Indian government really needs to spring for a $200 / year SSL certificate here!  Sheesh :)

If you do wind up using ASP.NET authentication (and not LiveId), I'd consider hashing your passwords instead of encrypting them.  For a government installation, being a higher profile target, it is an easy way to add a little more security in the event of any penetration.

Now I understand why you were obsessed with some of the less important security details.

Glad I could help.  Good luck to you!

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post 6/10/2008 5:11 AM
User is offline iadalang
81 posts
10th Ranked


Re: Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password? 

Brandon, I've had to reopen this thread, sorry. I installed SelfSSL in a WinXP dev box. Then I set the directory security properties of my DNN site's virtual directory to require SSL. Then in Advanced Settings-SSL Settings I checked on SSL Enabled checkbox only. I could login, but that dialog about Secure and Insecure Items popped up-OK, I understand that that's because there are some items in my page with http:// instead of https://. Then I found that when I logout, I am sent to an error page that says something to the effect that I need to go through https. Then, I logged in again and enabled SSL Enforced. Since I did that, browsing to http://localhost/dotnetnuke gives me :

The page must be viewed over a secure channel. The page you are trying to view requires the use of "https" in the address.

When I change the URL to https://localhost/dotnetnuke Iget :

There is a problem with this website's security certificate.

The security certificate presented by this website was issued for a different website's address.


Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. When I click on Continue to this website (not recommended) link, I get : This site is currently unavailable. Please check back later.

Please help-I cannot now access the site anymore!

 
 
New Post 6/10/2008 7:33 AM
User is offline Brandon Haynes
701 posts
brandonhaynes.org
7th Ranked


Re: Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password? 

Hi Iadalang,

I only have a moment to respond to your post, so you'll have to forgive me for being brief.

1) You won't need to set the "require SSL" flag in IIS.  DNN will handle this, and enabling it  in IIS will cause problems.

2) You can remove the SSL enforcement within DNN through the database if you are unable to access the site.  Look for the SSLEnforced SettingName in the ModuleSettings table (there will be one entry per portal).

3) I believe you must use SelfSSL to generate a cert for your computer name and not localhost.  If you've already done this, then you will need to update your portalaliases on your dev machine to reflect this.  Going to localhost and trying to use a cert issued to your computer name will cause a mismatch.  You can always click though when this happens, however.  Ultimately you'll be accessing the site through http://mycomputername and not http://localhost.

4) Remember that when using SelfSSL you will still have root-trust issues, and will have to add the cert to every computer that requires security.  Your best bet is still to get the Indian government to spend $200 / year on a real cert.

Hope this helps.

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post 6/11/2008 7:48 AM
User is offline iadalang
81 posts
10th Ranked


Re: Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password? 

Brandon,

I did use SelfSSL to generate a cert for my computer name, not localhost. I updated my portal aliases to reflect this - like mycomputername/dotnetnuke, although localhost/dotnetnuke is also one of them. I also unset the Require SSL flag for my virtual directory in IIS. Everything works perfect now, except that using a URL like http://mycomputername/dotnetnuke from another machine doesn't work-I get a Can't find server error page/message. It only works from another machine if I type IPAddress/dotnetnuke but at the same time, I am

 
 Page 3 of 4Previous1234Next 
Previous Previous
 
Next Next
  Forum  DotNetNuke® Pro...  ClientAPI Compo...  Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


BataviaSoft DotNetNuke Solutions
BataviaSoft offers custom DotNetNuke solutions especially for the European and the South East Asian market.
www.bataviasoft.com 		Viva Portals, L.L.C.
Expert module development and graphic design.
www.continure.com 		DNN Photo Gallery
DNN Photo Gallery is a truly unique photo management module released January 1st 2006. With DNN Photo Gallery you can REALLY integrate images into your existing portal and make them look like they were designed for your site.
DNN Photo Gallery

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP