SSL Configuration?

[Rudy]

Hey guys,
I'm a bit new to setting up SSL, and am working on getting my first setup right now. I'm running cPanel on an Apache with OpenSSL host. My question is, when I go to setup the CSR, the only "domain" I have available is "mydomain.com" NOT "www.mydomain.com."

I am getting my SSL certificate from NameCheap's free PositiveSSL that they sometimes handout on new domain registrations (one of which I nabbed).

Will it matter that the certificate is for mydomain.com and not for www.mydomain.com, and furthermore, will my certificate count for my entire website, or just for a certain directory?

Thanks,
- David

 

[Rudy]

Another SSL Question

I'm also wondering about the security of SSL. I know that it is trusted, and that it works, I'm just wondering, 'how?'

I know the main points of how it works:
1) The server has a public key (which is sent to the client) and a private key (which only the server has)
2) Upon a request for secure connection, the server sends the public key to the client
3) The client generates a random number, and sends it to the server encrypted with the public key
4) The server deciphers the number using its private key
5) Now, both the client and the server know the random number
6) From this random number, the client and the server generate a new key for encryption and decryption.

My question is this: If a hacker really wanted to, and he's in the middle somewhere, couldn't he "catch" the encryption code in step 3? If he were able to do that, then it would seem to me that all would be lost, right?

 

[enlytend]

If a hacker really wanted to, and he's in the middle somewhere, couldn't he "catch" the encryption code in step 3? If he were able to do that, then it would seem to me that all would be lost, right?

He needs the server's private key (step 4) to decipher the encryption code - if the hacker were somewhere in the middle AND had compromised the server, then this would be possible.

There have been SSL exploits, but overall it's a trusted data transmission standard and greatly reduces risk.

As for the www/non-www, make sure you have one of them permanently redirected to the other in your .htaccess file and you should be fine.

 

[Rudy]

Thanks for the response. I already have non-www redirected to www, so it sounds like I should be all set for the domain and any sub-directories of www, correct?

The only thing I would need another SSL cert or a wildcard cert is if I wanted to have subdomains secured.

He needs the server's private key (step 4) to decipher the encryption code - if the hacker were somewhere in the middle AND had compromised the server, then this would be possible.

I know that the private key is needed into order to decipher the encryption code. But wouldn't the hacker be able to get this code, send it off to the server to be decrypted, and then once a connection is made, be able to hack the other (identical) connection?

This is all hypothetical stuff. I know SSL is very secure, I trust it, etc..., etc... I'm just brainstorming and wondering, that's all.

 

[CrazyTech]

My question is this: If a hacker really wanted to, and he's in the middle somewhere, couldn't he "catch" the encryption code in step 3? If he were able to do that, then it would seem to me that all would be lost, right?

Look at it this way, the right person can theoretically gain access to any server in the world if he or she wants to. However, that person might not have a real reason to work on gaining access to your specific computer/server. You're basically trying to keep out the 99% that do most of the exploits and are a threat to your business or server.

It's a bit more difficult than you think to decrypt this, and keep in mind most SSL are for quick tasks.

 

[enlytend]

SSL *is* vulnerable to a "man in the middle" attack (google it ) - is that what you were asking about?

"Man in the middle" requires that the hacker has a way to redirect (not just "sniff") IP packets intended for the server to their own machine, so it requires some serious planning to carry it out. It will also raise a certificate warning in the client-victim's browser (unless THEIR machine was compromised and modified to trust it). If they heed the warning and reject the suspicious certificate, the attack will fail.

CrazyTech is right - 99% of attacks are random drive-bys from script kiddies looking for an easy mark, not an intellectual challenge. Follow security "best practices", keep patches up-to-date, and that will be enough to deter all but the truly determined (and knowledgeable) ones.

 

[maximum]

Both CrazyTech & enlytend are correct in that getting around SSL is by no means a danty task for a third party. As to your SSL cert, PositiveSSL uses the SSL protocals that allow it to apply a "Subject Alternative Name" (SAN's) to the certificate, which they do for all their certs. An SSL cert from PositiveSSL will work with or without the "www" - In your case, per your questions, a :kickass: solution :], as no redirect required unless you messed up .htaccess .

The SAN's part of your PositiveSSL cert on SmoothStoneServices.com - https://img.mydomains.net/Rudy-ssl.png

That cert will work for any URL at SmoothStoneServices.com, provided it is not a subdomain in the address-bar: https://www.smoothstoneservices.com , https://smoothstoneservices.com , https://www.smoothstoneservices.com/folder/page.php , https://smoothstoneservices.com/folder/page.php all good to go :D

 

[~ServerPoint~]

I believe that it is time related and money related question if someone wants to hack you. Security is the complex and if you follow common rules I believe you have nothing to worry about