Hi, I’ve a question about this software, if it works encrypted or I have to install a certificate (SSL).
In case that a sniffer sees my information.
Is Scriptcase secure?
Yep, if you use https there should be no problem. Scriptcase if deployed is nothing more then a database with php and a webserver so it is just like any other webserver.
You should always be aware for network sniffers but that goes for all traffic.
Under https the parameters for http post and http get are always encrypted with ssl so that should work fine.
I would recommend you to use an OWASP analyzer… you should always deploy your applications after you are completely sure that the top 10 OWASP vulnerabilities are covered.
Regards
Kroto,
Yes, you need to be very aware in a situation like you are describing in your title.
Webserver to Database Security Concerns
Communications between the webserver app (Apache) and the database, if they are on different machines, are vulnerable.
In our case, our Apache servers and our SQL servers have a dedicated non-public connection, the SQL servers are not exposed to the internet at all.
As an alternative, if both servers are exposed, you can easily set up an SSH tunnel between the two servers. Google “SSH Tunneling” for a more in depth discussion.
Browser to Webserver Security Concerns
You should always use https rather than http if you have a website where users log in.
Using the ScriptCase Security Module without https means that your password is sent in the clear over the internet from your browser to the web site.
You can configure Apache to automatically force a change from http to https. Google “HTTP Strict Transport Security” for more information about this.
Test your Website for Vulnerabilities
And finally, as Kafecadm mentioned above, you should always test your SSL enabled site for vulnerabilities using a test suite. We use SSL Labs free service.
You can see an example of the results of testing an improperly configured SSL website here: test ScriptCase.net
A properly configured SSL on a ScriptCase developed website returns results like this: test sahod.ph
So in summary, enabling SSL properly is much more than installing a certificate.
Hope this helps,
Dave
Thank for you help.
I refer about if i will have in my application that to install a certificate or with the scriptcase I can?
However, I will release everything that you give me. However, I will make everything that you describe me.
Kind Regards
Francisco
A certificate is needed for the webserver. Well is isnt needed if you run without a certificate but any decent website uses https and a certificate nowadays.
On that webserver you can run whatever scriptcase deployment you have.
For testing you can get a free certificate from https://www.startssl.com/ (1 year valid) or from https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php (90 days valid)
or other sites (rapidssl.com and so on).