Website security
- Started
- Last post
- 18 Responses
- bmacneill
Building a website for a client—which I'm hosting at (mt)— and the client's IT guy is insisting that our hosting uses AES or TLS security. Since this is all above my head... what does AES or TLS do?
I looked on the Googler but most of that was above my head as well. Can anybody tell me what this is in plain-english? Or should I just tell him to shut his mouth—that he's a paranoid IT guy—and it's secure enough as it is with (mt)?
- zenmasterfoo0
AES = Advanced Encryption Standard
TLS = Transport Layer SecuritySounds like you have a government client. Has to do with strong data encryption. Ask your client for specifics about the security they need on the servers, then ask MT if they can provide the database environment for your client's needs.
- bmacneill0
Funny thing is that it's a recycling company in Canada. Should I be asking what it is that they're trying to protect so badly? We're just developing a normal run-of-the-mill website for them.
- utopian0
Good Luck with MT!
- FredMcWoozy0
you're going to need something like....
ThePlanet.com not MT
- I wonder where the planet got that website template? : )ideaist
- ETM0
You hosted it on a Shared or Dedicated account?
- ETM0
Did you even ask their specific reasons?
- Continuity0
If it's a recycling company, it might have to do with the nature of what they recycle (or who their own clients are), that they need tight data security.
- bmacneill0
Not yet, I have a meeting with them this week, and am supposed to read up on AES and TLS so that we can have a half-decent intelligent conversation about it, and why they want to have it. I just wanted to know if this is something that you've encountered clients asking for... and if I should just come in from the position that "no, you don't need it, you have a tiny little website and this is for banks and government, etc"?
- maybe it has to integrate with some system that has private customer data in it....vaxorcist
- comicsans0
It's like any other IT design problem, what are they trying to accomplish (in terms of security) and why? Issues might be making it hacker resistant, protecting customer details against leakage, secure transmission of confidential data.
These are expert matters for grown ups. As a universal rule of thumb, 'secure' systems built by people without security experience will not be secure, in fact will be less secure than doing nothing because there is the false illusion of a poorly built safeguards. You at least know you know nothing, your customer may have just seen some acronyms in a trade paper and imagines that a checklist of these acronyms will bestow security upon him, it won't.
Do your reading, then ask the customer to explain AES and TLS to you, what they are, what they will do for him and why it matters. My instinct is he hasn't got a f**king clue. If he did have he'd be specifying policies like user access privileges not mechanisms like AES.
- vaxorcist0
You''ll need some serious system admin work to setup that stuff... and it's not the kind of stuff you find on "normal" webhosts like MT.... ask if the budget allows for an outside security consultant to setup the server according to documented standards spelled out in advance. You probably need a dedicated server...
I haven't dealt with this sort of thing for a while... but when we did, we used Rackspace for CYA heavy clients, ThePlanet for not-so-cya clients....
It really sounds like a CYA from the IT dude, and/or some upstream meeting-o-rama people.... like somebody has to check a box in a form and this "security shit" is next to the box....
- bmacneill0
I'm baffled as to why they would need this for a simple website. I'll keep you guys posted as to what happens.. my meeting is on Friday.
- vaxorcist0
WHY?!?
1. somebody read about it somewhere, kind of like how everyone wanted a "java website" in 1998
2. cya for a contractual obligation
3. IT dept wants to make you jump through so many hoops that you mess up and project comes back in-house
4. actual need not clearly spelled out yet....
- bmacneill0
@vaxorcist - i'm thinking all of the above.
- vaxorcist0
It is possible that "this little website" has to have some hookup with an authentication layer with some other system of arbitrary complexity that only a few people know, those people are usually busy and rather gruff when interrupted.....
not to scare you, but be aware that this may add lots of time to your project if this is the case...
- SteveJobs0
AES uses a symetric key. i use this for basic encryption of server requests containing sensitive data. however, the same key exists on both the client and server, so if it's compromised on either end, you'll need to be able to change it.
if it can meet your needs, RSA provides better encryption since it uses a public and private key. you give the public key to the client. this key cannot generate the encrypted message from the server, so you don't need to worry about anyone getting their hands on it. this is the popular encryption technique used for SSL certificates.
anyway, what you really need to find out from your client is WHAT they are wanting to encrypt and make sure they understand how the process works. generally, when someone talks about website security, they are talking about sql injection and cross-site scripting, not AES.