> [...]
> 2. Certificates on browser and server.
> a. Webserver can be outside firewall.
> [...]
> 3. HTTPS.
> a. Webserver can be outside firewall.
With these approaches, you make it hard for bad b0yzZ to get at your
stuff through the web ... but why bother with http if they can
possibly hack your server trough other ways?
Best thing would be to put the server behind a firewall, but not on
your internal secure net. Depending on your needs, this thing may
be a simple filtering router (allow from any to server port 80, deny
everything else), an additional interface on your normal firewall or
a completely separate box.
Also, typical encryption through any exportable software will be weak
(this will probably be true for both http and ip encryption). Even
though SSL uses 128 bit keys, accessing your data from outside the US
will transmit 88 bits of the secret(?!) key in clear.
If your stuff should *really* stay secret, put it in an envelope and
snailmail it (and hope that noone in the post office is curious :-)
YMMV
\Bernhard.
Follow-Ups:
|
|
