Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsClientAPIClientAPICan we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?
Previous
 
Next
New Post
6/7/2008 4:24 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Hi Brandon,

With regard to my site, some of the issues may be easily circumvented as I will be having only the 2 necessary accounts and none other. With regard to hosting, however, my hands are tied-as this is a Government site and the only way we can host it is on NIC servers (www.nic.in) and all sites hosted there have to go thru an internal security audit and get thru that hurdle before they can be hosted. The methodology being adopted for the audit is as per OWASP top ten (www.owasp.org). Hopefully, this information would have given you a clearer picture of my situation.

Anyway, thank you for ALL of your responses. They've cleared up lots of doubts and I can assure you, once I implement your suggestions and my site gets thru internal security audit the next time around, the beer I owe you would never have been forgotten. But of course, I will need your postal address!
 
New Post
6/7/2008 10:09 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

I guess all along I assumed that this was a personal installation, or perhaps for a business on a shoestring budget.  The Indian government really needs to spring for a $200 / year SSL certificate here!  Sheesh :)

If you do wind up using ASP.NET authentication (and not LiveId), I'd consider hashing your passwords instead of encrypting them.  For a government installation, being a higher profile target, it is an easy way to add a little more security in the event of any penetration.

Now I understand why you were obsessed with some of the less important security details.

Glad I could help.  Good luck to you!

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
6/10/2008 7:11 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Brandon, I've had to reopen this thread, sorry. I installed SelfSSL in a WinXP dev box. Then I set the directory security properties of my DNN site's virtual directory to require SSL. Then in Advanced Settings-SSL Settings I checked on SSL Enabled checkbox only. I could login, but that dialog about Secure and Insecure Items popped up-OK, I understand that that's because there are some items in my page with http:// instead of https://. Then I found that when I logout, I am sent to an error page that says something to the effect that I need to go through https. Then, I logged in again and enabled SSL Enforced. Since I did that, browsing to http://localhost/dotnetnuke gives me :

The page must be viewed over a secure channel. The page you are trying to view requires the use of "https" in the address.

When I change the URL to https://localhost/dotnetnuke Iget :

There is a problem with this website's security certificate.

The security certificate presented by this website was issued for a different website's address.


Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. When I click on Continue to this website (not recommended) link, I get : This site is currently unavailable. Please check back later.

Please help-I cannot now access the site anymore!

 
 
New Post
6/10/2008 9:33 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Iadalang,

I only have a moment to respond to your post, so you'll have to forgive me for being brief.

1) You won't need to set the "require SSL" flag in IIS.  DNN will handle this, and enabling it  in IIS will cause problems.

2) You can remove the SSL enforcement within DNN through the database if you are unable to access the site.  Look for the SSLEnforced SettingName in the ModuleSettings table (there will be one entry per portal).

3) I believe you must use SelfSSL to generate a cert for your computer name and not localhost.  If you've already done this, then you will need to update your portalaliases on your dev machine to reflect this.  Going to localhost and trying to use a cert issued to your computer name will cause a mismatch.  You can always click though when this happens, however.  Ultimately you'll be accessing the site through http://mycomputername and not http://localhost.

4) Remember that when using SelfSSL you will still have root-trust issues, and will have to add the cert to every computer that requires security.  Your best bet is still to get the Indian government to spend $200 / year on a real cert.

Hope this helps.

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
6/11/2008 9:48 AM
 
Iadalang Pyngrope

Joined: 6/20/2007
Posts: 102

Brandon,

I did use SelfSSL to generate a cert for my computer name, not localhost. I updated my portal aliases to reflect this - like mycomputername/dotnetnuke, although localhost/dotnetnuke is also one of them. I also unset the Require SSL flag for my virtual directory in IIS. Everything works perfect now, except that using a URL like http://mycomputername/dotnetnuke from another machine doesn't work-I get a Can't find server error page/message. It only works from another machine if I type IPAddress/dotnetnuke but at the same time, I am

 
 Page 3 of 4
Previous1234Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsClientAPIClientAPICan we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?Can we use the JS MD5/SHA1 encryption algorithm to encrypt clear text password?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out