Skip to main content
https login Started by Jorin · · Read 4680 times 0 Members and 3 Guests are viewing this topic. previous topic - next topic

https login

Is it possible to use https instead of http? But be careful: I am a newbie with this!  ;)

A user asked me about this. He wants his password crypted when sending it over the net.

Re: https login

Reply #1

Honestly I never tried https, so I'm a newbie as well.
In theory it should work.
There may be some oddities here and there (for example embedding images from a non-https website would not show any image in most of the browsers, if not all, this addon was meant to help with that aspect), but I don't think there is anything badly broken in https.

Actually, have the possibility to know for sure what's broken would be quite helpful. O:-)
Bugs creator.
Features destroyer.
Template killer.

Re: https login

Reply #2

Should work, its been something I've been meaning to try. 

Anyway most of the work is on the server end where you will need to install an X.509 certificate.  Buying a certificate can be expensive but you can also get some free ones (with lower crypt levels) or do your own, “self-signed” certificate for free.  A self signed one will give the user an initial security prompt warning since its self signed.

Re: https login

Reply #3

Quote from: emanuele – ...embedding images from a non-https website would not show any image in most of the browsers, if not all, this addon was meant to help with that aspect...

Quote from: Spuds – Anyway most of the work is on the server end where you will need to install an X.509 certificate.  Buying a certificate can be expensive...

Okay, let's forget this. I don't want to install a plugin just for one user.  :-X

Re: https login

Reply #4

Ohhh... okay, I misunderstood the question then!
I thought your user wanted to setup the https on his site.

Well, the answer is mostly the same. What I can add is that it may be possible to "protect" just the login page (provided the quick-login is disabled), but then again, do it without addons may not be possible (even though, it may be using an htaccess redirect of sort I think)... more doubts than answers I guess. LOL
Bugs creator.
Features destroyer.
Template killer.

Re: https login

Reply #5

That seems like the best option, disable quick login and use htaccess fot tge login page.

Alternatively someone who knows https could do a plugin just to secure the login system (i dont imagine it woukd be overly hard, as long as ssl is configured correctly).

If someond does, i can test (i have ssl enabled on my server).
Quote from: Random GuyNot putting miles on your Ferrari is like not having sex with your Girlfriend, so she'll be more desirable to her next Boyfriend

Re: https login

Reply #6

Quote from: emanuele – Honestly I never tried https, so I'm a newbie as well.

Heh, yes.

Technically, SSL has been cracked since 1997. That said: you will have to install a certificate (not a plug-in) in order to use SSL. The most interesting part is to adjust the theme though. All http: links will destroy your site security.
 

Re: https login

Reply #7

This is an interesting read: http://stackoverflow.com/questions/4515283/using-ssl-across-entire-site

Quote from: forumsearch0r2 – Technically, SSL has been cracked since 1997.

I'd like to see the case study on this if you have it handy. That being said, it would stop a lot of the more obvious attempts at data theft (remembering even minimal security is better than no security)

Quote from: forumsearch0r2 – That said: you will have to install a certificate (not a plug-in) in order to use SSL.

Yes this is correct, the plugin just facilitates the establishment of https throughout the site without the need for htaccess redirects. Having a working SSL configuration takes time and effort, but it needs to be done first.

Quote from: forumsearch0r2 – All http: links will destroy your site security.

Not true at all, a link is just that... A link... It seems mostly a non-issue, I run my wedge powered forum entirely over SSL and haven't come across any major problems, although that being said from memory if you are showing content inline you may run in to problems if the content is http only, but that being said most major sutes are moving to https, or alternatively have SSL enabled (think Youtube and IMGUR as the major players for inline content) so just link the HTTPS version (again, which is what I do).

It's essentially personal preference, and TBH someone who is looking to investigate would run up a test site to see how it works, and then make an assessment from there.
Quote from: Random GuyNot putting miles on your Ferrari is like not having sex with your Girlfriend, so she'll be more desirable to her next Boyfriend

Re: https login

Reply #8

Quote from: Bunstonious – I'd like to see the case study on this if you have it handy.

I could provide some. You could as well search the web for "SSL strip". There are even smartphone apps to do that.

Quote from: Bunstonious – Yes this is correct, the plugin just facilitates the establishment of https throughout the site without the need for htaccess redirects.

Pointless and even less secure IMO.

Quote from: Bunstonious – Having a working SSL configuration takes time and effort, but it needs to be done first.

It actually takes about 5 minutes, including actually generating and validating the certificate.

Quote from: Bunstonious – Not true at all, a link is just that...

Not hyperlinks - link tags (links, not anchors).

Re: https login

Reply #9

If "plug-in" you mean what I linked, that is just something to help Elk deal with embedding of images from non-https websites, nothing to do with the installation of the certificate. :P
Bugs creator.
Features destroyer.
Template killer.