Https configurations and benefits?

[Rudy]

Hey guys,
I feel sort of dumb asking this as I've been developing sites for about 5 or 6 years now - AND I know what https actually does. But, oh well. Here goes. I guess its easy only if you know how to do it.

Correct me if I'm wrong, but the difference between http:// and https:// is that https:// is a secure tunnel. To have a valid https:// path though, you need an SSL certificate, right?

What I'm wondering is this: I've got a password protected directory. The protection comes off of cPanel's default "password protect" tool, not from a username/password combo inside a database. I'm the only one who uses that directory.

I'm wondering if it would make sense for me to turn that into an https:// to make my login and my work more secure.

I'm also wondering just what exactly the connection is between SSL certificates, https://, and having to pay big bucks for a SSL cert every year. There's a lot in this "secure" area that I don't know, and that I'm not too familiar with.

 

[nasaboy007]

The cpanel's password protect thing is basically using the htaccess version of password protect (which is completely insecure, your password and username are stored somewhere on the server, sent over unencrypted network, etc).

now for https, it's true that it would be more secure because its using an encrypted connection. the reason that people pay big bucks for an SSL cert from companies is because the companies generate it and verify it (they act as like a guy saying "yeah this guy's legit"). however, you also have the ability to self-sign your certificate (meaning generate it yourself, for free, and use that for https). most hosts have this option, but you might want to check if your specific one does. using a self signed certificate means you don't have to pay to get it, and your connection is encrypted, but all browsers will throw the "OMG UNSIGNED SECURE NETWORK DO YOU WISH TO CONTINUE???!?!?!!??!?" error, usually blocking the page until the user adds an exception or somethign. this is generally unwanted for normal websites because it turns potential users off and they usually don't return. using a purchased SSL certificcate from a verified company stops that.

however, since you want to use it just for your own sake (of your password protected directory) and nobody will be accessing this page, it seems perfectly alright to generate a self-signed certificate. the connection will be secure, you won't be paying anything, and the users won't receive any big errors (as long as you set the redirections in htaccess correctly so it doesn't go to https unless you're accessing that specific directory).

so, ask your host how/if you can selfsign your certificate (it's usually in a cpanel option). oh keep in mind that you need a dedicated IP in order to use an SSL certificate, so that might cost you something like $30+ / year if you're using shared right now. (so you'll still have some expense).

 

[Rudy]

Great info, and very helpful. Thanks a ton. As it turns out, I do know for a fact that I can generate my own certificates. I just played around with that yesterday as a matter of fact. I'll go ahead and generate one for my directory, and switch it into https:// mode. I've always been a little uneasy about that.

Ok, here's another question. I've got some HTML forms that send information over the web into some PHP scripts. Basically, the website acts as a huge, human-edited directory of places to go hunting, and do things related to hunting. Getting a source listed is free, and searching is also free and easy to use. In fact, in the search, I use the $_GET method in PHP so that I can index the search results. So no account or anything is created when a source is listed. However, it does send info like email addresses, telephone numbers, etc... over the web to be put into the database.

Is this something you would recommend getting encrypted, using https:// ?

I guess another question would be... in my cPanel SSL manager, the method would be to generate a new private key, and then add that key in the Certificates area?

Once that is done, would that be available for use throughout the entire website, or just for directories that I specify? If I can specify a directory, how would I make the changes to that directory? If I can't specify a directory, how would I prevent people from trying to use https:// where I don't want them to (and thus have the "This certificate can't be validated" message)?

 

[nasaboy007]

ok, first answer. you are ysing the get method to submit data using $_GET. first off, why would you choose GET over POST? also, i hope that you're using proper security precautions if you made it yourself (like prevent against sql injection, xss, etc). now, since you're transmitting personal information (primarily address/phone, etc), you really should secure it. https would be the way to go for that.

to make the ssl cert, you first generate the private key (just do it for your domain name to be on the safe side). use that private key to generate the CSR (signing request, i think). then use that CSR to generate the CRT (actual certificate). at least, thats how it is on hostmonster.

now to specify where to use https, you either have the choice of using PHP or of using htaccess. for php, just do something like:

$httpsfile[] = "1"; //Placeholder
$httpsfile[] = "file1.php";
$httpsfile[] = "file2.php";


if($_SERVER['HTTPS'] != "on" && array_search(basename($_SERVER['PHP_SELF']), $httpsfile) != "") {
	reload("https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
}
else if(array_search(basename($_SERVER['PHP_SELF']), $httpsfile) == "" && $_SERVER['HTTPS'] == "on") {
	reload("http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
}

I use that on my own site for switching to https on certain pages. of course, that would only work for some pages that you want https, and you'd need to add it to every page (which would be easy if your whole site is php w/ includes)

if you want to use htaccess, then you'd have to use htaccess redirects to redirect it to non-https. look up RewriteEngine, i don't know it off the top of my head.

hope that helps, rep is appreciated =D

 

[Rudy]

Another helpful post. Thank you!

I chose to use $_GET so that I could index the search results, and allow people to directly link to the search results, instead of having to search every time. I also want the search results to show up in Google and other search engines.

I am quite familiar with some of the PHP security side of things. I'm using a mysql_escape_string on everything submitted, and am doing the best I can to avoid attacks on the script. So far, so good, and the website is starting to get more and more activity.

Thanks for the PHP code. I'll look at it and see what I can do on my website. I'd rather avoid .htaccess. The website is over 2 years old, but I just implemented .htaccess files less than a week ago primarily for SEO purposes, to redirect http://domain.com to www.domain.com, etc... As I was reading tutorials on it, I also have a bunch of known black bots blocked from getting to the site.

Needless to say, I still don't know much about .htaccess, am still learning, and would like to stick with what I know - PHP.

Thanks again.

To try and stay on topic, I moved over to http://www.namepros.com/programming/498820-htaccess-redirect-to-https-select-pages.html in order to ask a question related to the programming of the PHP to switch from http:// to https:// and vice-versa.

I'm reading up on some tutorials now on SSL, https:// and things on that nature. I think I'm starting to understand this whole thing better now. I'll come back here if I have more questions on the security / SSL side of things.

 

[Rudy]

Ok, so I generated a SSL certificate in cPanel by doing the following:

1. First, I generated a private key.
2. Then I Generated a New Certificate Signing Request. (What is "pass phrase", by the way? I had to enter one at this step, so I just did anything. Will anything work?)
3. Lastly, I generated a new certificate.

That should be all I have to do, right?
Well, I then went to the page I'm using to test the secure connection, and Firefox 3.x returned the following error message:

Secure Connection Failed

An error occurred during a connection to [My Domain].

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Ok, so I tried to access it in IE 7: "Internet Explorer Cannot Display the Webpage"

So I must be doing something wrong or missing something. Any ideas? I'm googling and looking, but haven't been able to find anything yet.