Posted by leepeng on August 25, 2010
Why SSL?
SSL stands for Secure Socket Layer.
SSL pages/sites are start with HTTPS (e.g. https://www.ctc.com.sg/paygate/payment.php)
You will see a lock icon in browser if it is SSL
It provide 2 main function: Encryption and Authentication.
Encryption
When we fill in a form in browser and submit, in default setting, the information in the form is transmit to the server as plain text.
This become not secure if the form ask us for sensitive information like NRIC, credit card info etc.
SSL can encrypt the transmission of info to ensure security.
Authentication
When a visitor come to a website, especially those require payment, he will always want to be sure that the identity of the website is what it claim to be.
Consider the website www.sony-asia.com. How we know this website really belongs to Sony. I can always register a domain call www.sony-southafrica.com and impersonalized as Sony.
SSL contains Digital Certificate to certified the website as who it claimed to be.
SSL Selection
There are many SSL provider and price can be very different depends on function and brands.
In general, there are 2 groups
SSL Cert with Domain name Authentication Only
This will certified that the domain A is really belongs to domain A.
We will recommend this if the website is just a pure online store and the business is not of big brand.
Another reason is the website only need SSL to utilise the encryption feature and authentication is not a big concern.
** Notice the Common Name (CN) and Organization (O) are the domain name.
Here are some package options
https://www.godaddy.com/gdshop/ssl/ssl.asp (Standard SSL)
https://www.thawte.com/ssl-digital-certificates/ssl123/index.html
http://www.geotrust.com/ssl/quick-ssl-certificates/
SSL Cert with Business Identity Authentication
This will certified that the website belongs to a certain business.
The approval might require more email authentication or event submit a fax or telephone call.
** Notice the Organization (O) is stated as TakeMeToAsia Pte Ltd
Here are some package options
https://www.godaddy.com/gdshop/ssl/ssl.asp (Deluxe SSL)
https://www.thawte.com/ssl-digital-certificates/ssl/index.html
http://www.geotrust.com/ssl/ssl-certificates/
http://www.verisign.com.sg/ssl/buy-ssl-certificates/secure-site-ssl-certificates/
Posted by leepeng on July 3, 2009
Have you ever encounter the situation which after getting your hosting for a while, you start to notice the email send from your server couldn’t reach your recipient; especially when the email is sent direct from the webserver using sendmail (e.g. mail function of PHP)
I myself is not hosting expert. However, after a few shocks, I somehow figure out some simple mis-configuration that easily happen to hosting engineers while setting up new server.
Two main cause: 1st is the missing of qualified domain name and second is missing of SPF setting.
These two can be observe easily by looking at the email header content in GMail. Try create a simple testmail.php which will send email to your GMail account using PHP’s mail function.
<?php
mail("leepeng@gmail.com", "Test Mail", "Test 123", "From: something@xx.com");
?>
Then open the source / original message of the email.
Here is an example of “Healthy” email
Delivered-To: leepeng79.chen@gmail.com
Received: by 10.142.43.3 with SMTP id q3cs50083wfq;
Tue, 30 Jun 2009 02:03:53 -0700 (PDT)
Received: by 10.114.255.12 with SMTP id c12mr12997276wai.11.1246352633584;
Tue, 30 Jun 2009 02:03:53 -0700 (PDT)
Return-Path: <bounce@organisedmum.com.sg>
Received: from organisedmum.com.sg (organisedmum.com.sg [116.12.50.227])
by mx.google.com with ESMTP id 1si12092283pxi.65.2009.06.30.02.03.52;
Tue, 30 Jun 2009 02:03:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of bounce@organisedmum.com.sg designates 116.12.50.227 as permitted sender) client-ip=116.12.50.227;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of bounce@organisedmum.com.sg designates 116.12.50.227 as permitted sender) smtp.mail=bounce@organisedmum.com.sg
Received: (qmail 20407 invoked by uid 48); 30 Jun 2009 17:03:51 +0800
Date: 30 Jun 2009 17:03:51 +0800
Message-ID: <20090630090351.20397.qmail@organisedmum.com.sg>
To: leepeng79.chen@gmail.com
Here is an example of “unhealthy” email
Delivered-To: leepeng79.chen@gmail.com
Received: by 10.142.43.3 with SMTP id q3cs126200wfq;
Thu, 2 Jul 2009 00:18:36 -0700 (PDT)
Received: by 10.224.28.130 with SMTP id m2mr10174634qac.52.1246519115111;
Thu, 02 Jul 2009 00:18:35 -0700 (PDT)
Return-Path: <nobody@vm4.kfc>
Received: from vm4.kfc (202-150-217-11.rev.ne.com.sg [202.150.217.11])
by mx.google.com with ESMTP id 15si3872346yxe.130.2009.07.02.00.18.34;
Thu, 02 Jul 2009 00:18:34 -0700 (PDT)
Received-SPF: neutral (google.com: 202.150.217.11 is neither permitted nor denied by best guess record for domain of nobody@vm4.kfc) client-ip=202.150.217.11;
Authentication-Results: mx.google.com; spf=neutral (google.com: 202.150.217.11 is neither permitted nor denied by best guess record for domain of nobody@vm4.kfc) smtp.mail=nobody@vm4.kfc
Received: from nobody by vm4.kfc with local (Exim 4.69)
(envelope-from <nobody@vm4.kfc>)
id 1MMGZG-0005GT-VS
for leepeng79.chen@gmail.com; Thu, 02 Jul 2009 15:18:51 +0800
To: leepeng79.chen@gmail.com
If you observe, you will notice that the “healthy” example has a qualified domain name which associate with the IP address. However the “unhealthy” exmple does not have a qualified domain name. The mis-configure one will either has setting localhost or just the server name in the private network (vm4.kfc for this example)
Second is the “healthy” example can pass GMail’s SPF check but the “unhealthy” one have the mark of neutral. SPF is to help make sure the server is not used for spamming. When GMail said it is neutral, it means GMail don’t know if the server is right or wrong.
My experience is that GMail has been very generous in their antispam as it will accept most of the emails. However, if you notice these 2 mis-configuration, it will be likely the mail would not able to deliver to Hotmail, Yahoo, AOL or some corporate email addresses.
So now you have something to argue with the hosting engineer 
The last thing to check is to make sure your server’s IP address is not blacklisted. One common place to check is at www.spamhaus.org