During my time on the web I have noticed how many users have misconceptions about HTTPS or SSL, so hopefully this should help clear a few things up and ensure your clear about what SSL does… and doesn’t do and how to be safe on the web.

Firstly i would like to explain a bit about HTTPS and to try and clear up some of the misunderstandings a lot of people seem to have about it.

HTTPS:// which stands for Hyper-Text Transfer Protocol Secure, which is a secure connection between you and the server. HTTPS is NOT a protocol in it’s self. HTTPS is exactly the same as HTTP except it has a extra layer of “security” called SSL (Secure Sockets Layer). When comparing HTTP and HTTPS the only “physical” difference is HTTPS uses a different TCP port (usually 443) where as HTTP uses 80 (or 8080 depending on server set up).

SSL was developed by Netscape for you guessed it sending files and information via the web without nosy neighbors peeking. SSL uses a cryptographic key system. This system uses two keys which encrypt the data being sent, the first being the public key which is known to every Tom, Chris and Rumpelstiltskin and then we have the Private key known only to the intended recipient of the data.

I have come across quite a few people who assume that because a web-page has “Secure” it means their information, which often includes full credit card details, are secure for the short journey across cyber-space and the comfy stay in a little server on the other side of the world. However often what most do not understand is this is not the case, yes the information can not be easily sniffed or taped on its connection between you and the server, but it does not secure its safety when it reaches the server OR how the webmaster as well as every one who has access to the server (which can often be a lot) do with your information.

Just because a server uses SSL (which any body with a website and a spare £23 ($45)ish can obtain, without any security checks for the website i might add, doesn’t mean the server can’t be hacked or even be already hacked.

Dodgy webmasters, not only do you have to worry about your personal information being sniffed or viewed on transfer, while it’s sitting on the web server and crackers seeing it, But what about the actual website Administrator? what is he suddenly thinks hey, i have a database full of all the transaction details  from when i have sold naff to over the net…

Getting security certificates validated by browsers.

Now virtually all modern browsers are both SSL capable and show some type of alert if the incoming SSL certificate  is self signed or invalid.

I would like to make this perfectly clear, ANY webmaster can set up a secure connection for his/her website(s) and it will have EXACTLY THE SAME level of security as a certificate signed by a authority, the only difference being that many browsers have been “told” by the “certification authorities” that your site is OK!

Other wise your browser experience is hindered by warnings (especially with browsers such as Internet Exploerer 7 and Google Chrome who refuses to show the page unless you accept)

If you would like more information about setting up SSL of purchasing a SSL Certificate through XDnet  – Just Ask! and we can help with the process.

Hopefully this post has helped users understand what SSL does do – offer an extra layer of protection to your data, but also helps to understand the importance of not providing personal information to any website on the internet, if you have doubts about the intentions of the webmaster, try asking them about their policies and how they might use your data, if they can’t answer honestly about how they process your information, don’t risk it.

Spam is a serious issue, especially if you run a website where a contact medium between users and yourself is critical. In this little “How To” I am going to show you the best way to stop spam AKA SpamAssassin™

Most web hosts should provide SpamAssassin™ (Especially if they are running cPanel 10). Make sure you enable it and enjoy the benefits (it’s really that easy). XDnet offers SpamAssassin™ with all standard and above accounts, so login and enjoy the benefits of spam free email!

If you are a power user you may want to adjust SpamAssassin™ sensitivity, to alter this go into SpamAssassin™ configuration and adjust the “required_score” variable. Keep in mind the lower your score the more aggressive SpamAssassin™ will be. I like to keep mine around 4, but it varies from website to website. (Note: This option is available to all VPS + Dedicated Clients, so check it out now!)

It seems like everyone is concerned about MySQL injections when it comes to programming, however their is an easy solution out there! Here is the functions I wrote and have been using for a good few months and I’ve never had any problems.

<?php
// The SQL Input Function This validates whats 
inputted and 'cleans' it.
function SQL_Input($input, $is_numeric=FALSE){
if(is_numeric($input) == TRUE && $is_numeric == TRUE){ // If it's a number and it's ment to be a number.
return $input;
}else{ // Anything else
return serialize($input); // You can replace this for a base64,
 but I like serialize's.
}
}

// The SQL output function. This convets the stuff pulled from the 
SQL back to normal text.
function SQL_Output($input, $is_numeric=FALSE){
if(is_numeric($input) == TRUE && $is_numeric == TRUE){ // If it’s a number and it’s ment to be a number.
return $input;
}else{ // Anything else
return unserialize($input);
}
}

### Example ###
/* In the next example I’m going to pull some data from a table called ’table’. 
Here is some info about the table:
ID - Should only be numbers.
Text - Is some plain text.

And the input is:
$_POST['ID'] - should be a number.
$_POST['Text'] - is some general text.
*/
$result = mysql_query(“SELECT * FROM ’table’ WHERE ID=’”.SQL_Input($_POST['ID'], TRUE).“‘ AND Text=’”.SQL_Input($_POST['Text'], FALSE).“‘”);
while ($row = mysql_fetch_assoc($result)) {
echo ‘<strong>ID:</strong>’.SQL_Output($row['ID'], TRUE).“\n”;
echo ‘<strong>Text:</strong>’.SQL_Output($row['Text'], TRUE).“\n”;
}
?>

On any website it is always important to ensure all your links, be they internal or external are active and functioning, something which is often overlooked.

A great tool i discovered is Dead-Links.com this great little tool is simple and easy to use, will show most dead links within a few minutes it crawled every page of XDnet, including the expansive knowledgebase and every page of this blog.

So Check it out and check yoursite out. – Dead-Links.com