An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).

Just as SSL Certificates were starting to become really inexpensive, they figured out a way to start charging more money again.

A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.

It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.

I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:

I'm speechless!

Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.

I didn't know that you couldn't buy SSL certs for international domain names (naive americans). I have only ever bought them for .com names.

GoDaddy is giving away free SSL Certificates for open source projects. Sign up here.

Go Daddy is committed to the open source community. We want your site and data to be secure and we're willing to foot the cost to make them just that.

Just make sure that you Disable SSLv2!

I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.

First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)

Run mmc.