Skip to content

{ Category Archives } security

IIS, SSL and Host-Headers

Update (3-Aug-2010): Multiple SSL domains on a single IP are now possible using Unified Communications UC SSL Certificates (Subject Alternative Name) – see my follow up article: Subject Alternative Names for SSL Here’s a knowledge base article I use to explain why an SSL site needs its own IP address: HTTP 1.1 host headers are […]

ASP.NET Defending Against Form Hackers

Something I’ve pondered previously: an ASP.NET page is populated with data retrieved from ViewState, is it possible to falsify the ViewState in the POST and trick the server into doing something that it shouldn’t. In other words, a scenario where the original developer is just “trusting” information coming from ViewState. Here’s an example – a […]

How Does OpenID Work?

I’ve heard about OpenID on a podcast I listen to. Sounds interesting – an open source solution to have a ‘single sign on’ for many websites. Interested to see how this works – both as a user, and as a website author. Here’s a run through of an example authentication: User accesses an OpenID enabled […]

Creating Your Own Dev SSL Cert for IIS

Ever wanted to create an SSL certificate for your dev box? There’s no need for a well known CA like Verisign or Comodo on your dev box. Here are some guides to creating your own CA/signed certificates: Setting up SSL with a SelfSSL certificate on Windows Server 2003 – create a self signed certificate with […]