SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 26
  1. #1
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Understanding how HTTPS works

    Hi all!

    Okay, here is my first technical question as a new member of the PHP forum! (Be gentle!)

    Would someone please help me to understand what is required to establish a "secure connection" between an end-user's computer and my website on a server??

    I'm not as interested in PHP code, per se, although you can certainly include some here. The goal of this question is to understand what all I am going to need to develop (or buy)!

    Scenario:
    ------------
    Jane Citizen goes to my Seminar Registration website and is required to Log-In to do something.

    What do my Web-Host, Web-Hosting Account, and my PHP code need to do to create an "encrypted tunnel" so that all of Jane's info is safe (e.g. password)?

    I know that I need to buy an SSL certificate with my web-host.

    And there is code that somehow switches the page/connection from HTTP://SomePage.php to HTTPS://SomeProtectedPage.php, but what exactly is the process to do that??

    Hope that makes sense and was not too long-winded?!

    Thanks,


    Amy

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The security certificate contains keys for asymetrical encryption/decryption.

    When you access a page via https it downloads the encryption key part of the security key with the certificate and the browser uses that to encrypt everything being passed back to the server. That content is unable to be converted back into readable text without the decryption key which remains in the security certificate stored on the server so that the server hosting the site is the only place where that content can be decrypted.

    There is no PHp or any other client or server side languages involved in this process as it is all handled by the browser, the web server, and the security certificate.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The security certificate contains keys for asymetrical encryption/decryption.

    When you access a page via https it downloads the encryption key part of the security key with the certificate and the browser uses that to encrypt everything being passed back to the server.
    So the SSL Certificate would be sending its "public key" to whatever client is accessing an HTTPS page?


    That content is unable to be converted back into readable text without the decryption key which remains in the security certificate stored on the server
    Now you are referring to the SSL Certificate's "private key"?


    so that the server hosting the site is the only place where that content can be decrypted.
    And presumably the SSL Certificate and pits "private key(s)" are relatively safe from being compromised?


    There is no PHp or any other client or server side languages involved in this process as it is all handled by the browser, the web server, and the security certificate.
    Okay, but lets say there is some portion of my website that require information to be protected. Specifically, let's say I need to build a Log-In Module.

    Jane User is on a page using HTTP, but needs to update her user preferences. So she clicks on a button "Update User Preferences" and is taken to a Log-In page which should now have an HTTPS. As she attempts to log in, her Username and Password are sent to the server in an encrypted form.

    Can you be a little more specific in code-neutral terms with what my code (i.e. PHP or any server-side code) has to do to make what you discribed above happen?

    Also, to clarify, when you use SSL/HTTPS, are you sending your data through an "encryoted tunnel" or is the data just being encrypted on the client side and then sent over an unsecured connection (i.e. plain-text) but since it is encrypted it is safe?

    Thanks,


    Amy

    P.S. Wow!! I just figured out that you guys (and gals) in eastern Australia are 17 hours ahead of me?!

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The certificate (and HTPPS) "protects" the content as it is sent from the browser to the server. It is encrypted using the certificate public key by the browser and decrypted by the private key once it reaches the server.

    It passes down the same communication channel to get from one computer to the other as all communication passes. That is sometimes considered to be an "encrypted tunnel" since to anything other than the server it is intended for the content is unreadable.

    Unless you have an actual physical leased line connection from your computer to the server that doesn't pass through the internet you are relying on the encryption to create a virtual tunnel.

    Apart from using HTTPS and a certificate to encrypt what is typed in as it passes from the browser to the server, the rest of what you need both in the web page and on the server is exactly the same as you would need to perform the processing if you were using HTTP and passing the login info to the server as plain text. The same form on the web page collects the info and the same PHP (or whatever) script on the server processes the info on the server as you would have used before deciding to switch to using HTTPS instead of HTTP.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The certificate (and HTPPS) "protects" the content as it is sent from the browser to the server. It is encrypted using the certificate public key by the browser and decrypted by the private key once it reaches the server.
    Okay, so I got that right.

    It passes down the same communication channel to get from one computer to the other as all communication passes. That is sometimes considered to be an "encrypted tunnel" since to anything other than the server it is intended for the content is unreadable.

    Unless you have an actual physical leased line connection from your computer to the server that doesn't pass through the internet you are relying on the encryption to create a virtual tunnel.
    Okay, so when people say HTTPS is an "encrypted tunnel" that is really a misnomer?!

    So it is NOT like a VPN where I think (??) you actually do have an "encrypted tunnel/connection", right?


    Apart from using HTTPS and a certificate to encrypt what is typed in as it passes from the browser to the server, the rest of what you need both in the web page and on the server is exactly the same as you would need to perform the processing if you were using HTTP and passing the login info to the server as plain text. The same form on the web page collects the info and the same PHP (or whatever) script on the server processes the info on the server as you would have used before deciding to switch to using HTTPS instead of HTTP.
    Okay, so it is just a matter of telling PHP to send the data via HTTPS vs HTTP?

    Would it go like this..

    ***************
    Form: "Hey PHP, this is sensitive data, let's send it via HTTPS..."

    PHP: "Okay, we will use a different, secure connection." (I think Port 443??)

    Server: "Oh, I'm getting a request to send me data over the HTTPS connection, I better send my public key!"

    Browser: "Thanks for your public key!"

    Browser: "I'll encrypt the sensitive data now!"

    PHP/Browser: "Here comes some encrypted data, Mr. Server."

    Server: "Oay, let me now use my private key to decryot the senstive data that the browser encrypted with my public key."
    ***************


    Hope you like my mini screenplay?

    Thanks,


    Amy

  6. #6
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here is a scheme of how SSL connection works:
    http://publib.boulder.ibm.com/infoce...c/sy10660_.htm
    Actually you can make and people do make VPN tunnels using SSL. For instance with stunnel.

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    A VPN tunnel is also just encrypted data being sent across the internet. ANY "tunnel" on the internet just means it is encrypted at one end and decrypted at the other so as to be not readable to anyone apart from those who are entitled to read it.

    PHP has no involvement in the HTTPS part of the process. It only gets the data after it has been decrypted on the server.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some remarks about screenplay
    PHP is a servant for Server, he does not meet in person with Browser. Browser only talks to Server.
    Browser and Server only use Public/Private keys to encrypt SessionKey that is then used to (symmetrically) encrypt all their talk (Because talking asymmetrically would take too much time - they are not that fluent in this ).

  9. #9
    SitePoint Enthusiast robertss's Avatar
    Join Date
    Mar 2008
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    While PHP isn't involved in the process of establishing an SSL connection, you can use it to "force" https by redirecting all normal http traffic to https. For example:

    PHP Code:
    //==== Turn on HTTPS - Detect if HTTPS, if not on, then turn on HTTPS:
    function SSLon(){
        if(
    $_SERVER['HTTPS'] != 'on'){
            
    $url "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
            
    header('Location: '.$url); exit;
        }
    }
    //==== End -- Turn On HTTPS 

  10. #10
    SitePoint Guru
    Join Date
    Dec 2005
    Posts
    982
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by robertss View Post
    While PHP isn't involved in the process of establishing an SSL connection, you can use it to "force" https by redirecting all normal http traffic to https. For example:
    You can also do this using htaccess and apache rewrite (my preference):
    Code:
    # Force Secure Admin Login
    RewriteCond %{SERVER_PORT} !443
    RewriteRule ^admin/ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
    @Amy: I love the mini screenplay. Hopefully more users follow this new trend
    MySQL v5.1.58
    PHP v5.3.6

  11. #11
    SitePoint Zealot Amenthes's Avatar
    Join Date
    Oct 2006
    Location
    Bucharest, Romania
    Posts
    143
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's a really nice article on infoq.com about HTTPS connections: http://www.infoq.com/articles/HTTPS-...ion-Jeff-Moser
    I'm under construction | http://igstan.ro/

  12. #12
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BrandonK View Post
    @Amy: I love the mini screenplay. Hopefully more users follow this new trend
    Ha ha. Glad you liked it. Not sure that I'll every win an Oscar or Emmy, though!

    In teaching, sometimes it helps to do role-playing and/or to explain things in more everyday terms.


    Amy

  13. #13
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Amenthes View Post
    Here's a really nice article on infoq.com about HTTPS connections: http://www.infoq.com/articles/HTTPS-...ion-Jeff-Moser
    Thank you for the links!!


    Amy

  14. #14
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks of rall of the posts.

    Okay, so to sum things up...

    It sounds like the only thing I need to buy in order to provide secure communications between my users and my server is an SSL certificate with my web-host.

    Right?

    And it sounds like everything else is just a matter of how I program my PHP pages (i.e. when to access HTTPS).

    Does that sound right?

    On a side topic, if I get a web-hosting account that provides PHP, MySQL, and I buy an SSL certificate, then is there anything else I really need except lots of know-how on XHTML, CSS, PHP, and maybe MySQL?

    I'm just looking for "deal-breaker" (i.e. things so expensive or so complicated or so inaccessible) that it would stop me from having a secure website.

    Hope that makes some sense?!

    Thanks,


    Amy

  15. #15
    SitePoint Evangelist tetsuo shima's Avatar
    Join Date
    Oct 2005
    Location
    Switzerland
    Posts
    597
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If all you want is to avoid sending a password in plain text, you may want to consider using PHP HTTP Digest .

    The SEO Faq thread
    Dependency injection made easy: Phemto

  16. #16
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    To understand secure connections you need to understand 2 principles.

    1. That an encryption method can require a different key to encode than to decode, without it being possible to figure out the decryption key if you are given the encryption key. This is called "public key cryptography". With it, you can safely give out your encryption key to the whole world, but still be the only one that can read messages encoded with it. For two-way communication, each party makes their encryption key public but keeps their decryption key secret.

    2. That in order to be secure online you not only need to ensure your communication is encrypted (and nobody could get your decryption key) but you also need to ensure that the person you are communicating with really is who they say they are and they are not an impostor. Otherwise, the best encryption in the world is not going to help if you are actually speaking to the person who wants to steal your information. Thus, before communicating, a certificate exchange must be done. Public key cryptography allows 'signing' a certificate in such a way that anyone can tell if the signature in the certificate is authentic using a publicly available key, but nobody can create an authentic signature without a specially issued private key. In a client-server situation, the server doesn't care who the client is, but the client cares who the server is. So the server has a certificate which the client can inspect to see if it is authentic (according to some trusted issuer of certificate signing keys).

    Public key cryptography, which enables all this to happen, is described in this wikipedia article:
    http://en.wikipedia.org/wiki/Public-key_cryptography
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  17. #17
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mmj View Post
    To understand secure connections you need to understand 2 principles.

    1. That an encryption method can require a different key to encode than to decode, without it being possible to figure out the decryption key if you are given the encryption key. This is called "public key cryptography". With it, you can safely give out your encryption key to the whole world, but still be the only one that can read messages encoded with it. For two-way communication, each party makes their encryption key public but keeps their decryption key secret.
    That part I was fairly comfortable with, but thanks for the detailed explanation!


    2. That in order to be secure online you not only need to ensure your communication is encrypted (and nobody could get your decryption key) but you also need to ensure that the person you are communicating with really is who they say they are and they are not an impostor. Otherwise, the best encryption in the world is not going to help if you are actually speaking to the person who wants to steal your information.
    Very good point!!


    Thus, before communicating, a certificate exchange must be done. Public key cryptography allows 'signing' a certificate in such a way that anyone can tell if the signature in the certificate is authentic using a publicly available key, but nobody can create an authentic signature without a specially issued private key.
    Who/what check the certificates authenticity?

    Me? My browser? Otehr?

    When does that happen?


    In a client-server situation, the server doesn't care who the client is, but the client cares who the server is.
    Why do you say that?

    What if the client is a "bad guy"?!

    Shouldn't the server need to know something about who the client is?


    So the server has a certificate which the client can inspect to see if it is authentic (according to some trusted issuer of certificate signing keys).

    Public key cryptography, which enables all this to happen, is described in this wikipedia article:
    http://en.wikipedia.org/wiki/Public-key_cryptography
    Okay.

    So how does this relate to my original post and concerns?

    Do you agree that all I need is a web-hosting account and an SSL certificate?

    Or is there something missing?

    Thanks for your reply!!


    Amy

  18. #18
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    Who/what check the certificates authenticity?
    The browser does in part. It ships with a list of trusted root authorities and will produce an alert advising you that the certificate is suspect if the certificate doesn't have a trust chain leading back to one of the root trusted authorities. You can override it to tell it to trust a certificate anyway if you have verified it in some other way.

    The part that the browser doesn't do is to check who the certificate was issued to. As long as the certificate was issued to the current site it doesn't care that you are on fakebank.com instead of bank.com as long as the certificate was issued to fakebank.com. That's where the person using the browser has to click the padlock symbol to verify who the owner of the certificate is so as to make sure that it is who they expect it to be.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  19. #19
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    Who/what check the certificates authenticity?

    Me? My browser? Otehr?

    When does that happen?
    Your browser checks the certificate to see who issued it, and if it was issued by a Certificate Authority (ie company like Thawte, Globalsign etc) that it "trusts", then it checks it against that company's public key to ensure it is authentic.

    If the certificate was not issued by any company your browser recognises (as in the case of a self-made key) or any other information appears suspect, then the browser will give a warning.

    Note that just because a trusted Certificate Authority issued a certificate does not mean that the person you're communicate can be trusted. It's just a means of identifying that they are who they say they are, so it's also important that the user checks the domain name or company name on the certificate and makes up their own mind about whether the company they are dealing with is trustworthy.

    Why do you say that?

    What if the client is a "bad guy"?!

    Shouldn't the server need to know something about who the client is?
    Normally on the web, if the server needs to be able to verify who the client is, they do this once the secure session has already been opened. For instance, by requiring a login. The login details are all sent over the already secure channel. That is why I said the server doesn't need to know who the client is in order to start the secure session.

    This is a bit more user friendly, and privacy-friendly, than requiring all web users to have a certificate installed in their browser signed by a certain certificate authority (though some rare services do sometimes request a certificate from a client for security reasons).


    Okay.

    So how does this relate to my original post and concerns?

    Do you agree that all I need is a web-hosting account and an SSL certificate?

    Or is there something missing?
    Yep, you'll need an SSL certificate signed by a trusted Certificate Authority and issued for your actual domain name. An SSL certificate included free with your hosting package may not satisfy both those criteria.

    You'll need to get your host to enable HTTPS with that certificate. For Jane's sake, make sure that the same content is not available via regular HTTP, and make sure none of your internal links, and links to things like scripts, stylesheets and images, lead to non-HTTPS sites. That'll ensure her browser will never lead her to the same site, unprotected, or show a confusing warning about non-encrypted page elements.

    There's no special code to switch into or out of a secure connection except the "https:" at the beginning of a URL. Make sure the user is using a secure connection before logging in (ie, the login page should be included in those pages that are only accessible via "https:").
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  20. #20
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The browser does in part. It ships with a list of trusted root authorities and will produce an alert advising you that the certificate is suspect if the certificate doesn't have a trust chain leading back to one of the root trusted authorities. You can override it to tell it to trust a certificate anyway if you have verified it in some other way.

    The part that the browser doesn't do is to check who the certificate was issued to. As long as the certificate was issued to the current site it doesn't care that you are on fakebank.com instead of bank.com as long as the certificate was issued to fakebank.com. That's where the person using the browser has to click the padlock symbol to verify who the owner of the certificate is so as to make sure that it is who they expect it to be.
    Thanks, Stephen! Good stuff!


    Amy

  21. #21
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mmj View Post
    Your browser checks the certificate to see who issued it, and if it was issued by a Certificate Authority (ie company like Thawte, Globalsign etc) that it "trusts", then it checks it against that company's public key to ensure it is authentic.

    If the certificate was not issued by any company your browser recognises (as in the case of a self-made key) or any other information appears suspect, then the browser will give a warning.
    I have had FireFox flip out a few times and give me a screen with red font saying "This site is untrusted" of something like that when I have clicked on linkds from a Google search.

    Could this be what happened?


    Note that just because a trusted Certificate Authority issued a certificate does not mean that the person you're communicate can be trusted. It's just a means of identifying that they are who they say they are, so it's also important that the user checks the domain name or company name on the certificate and makes up their own mind about whether the company they are dealing with is trustworthy.
    So a phishing scheme (e.g. NotMyBank.com) could have a trusted certificate?!


    Normally on the web, if the server needs to be able to verify who the client is, they do this once the secure session has already been opened. For instance, by requiring a login. The login details are all sent over the already secure channel. That is why I said the server doesn't need to know who the client is in order to start the secure session.

    This is a bit more user friendly, and privacy-friendly, than requiring all web users to have a certificate installed in their browser signed by a certain certificate authority (though some rare services do sometimes request a certificate from a client for security reasons).
    Maybe some Business-to-Business situations require client web certificates?


    Yep, you'll need an SSL certificate signed by a trusted Certificate Authority and issued for your actual domain name. An SSL certificate included free with your hosting package may not satisfy both those criteria.
    Is there a way to get a test SSL certificate?

    I'm going to get a "test" account with GoDaddy.com where there will not be a domain name, just a fixed IP address. (I don't want people to be able to know who I am for my test account by looking up a domain, plus it is just a "test" account?!)

    *Hoping you say "yes"?!*


    Also, when I am ready to get down to business and get a "real" SSL certificate, what kinds of information must I provide to get one?

    (I hope they aren't asking for really intimate details like bank acct #'s, physical address, etc.)


    You'll need to get your host to enable HTTPS with that certificate. For Jane's sake, make sure that the same content is not available via regular HTTP, and make sure none of your internal links, and links to things like scripts, stylesheets and images, lead to non-HTTPS sites. That'll ensure her browser will never lead her to the same site, unprotected, or show a confusing warning about non-encrypted page elements.
    Wow! That is some of the best advice I've been given in a long time?!

    That is a lot to "chew" on, and probably requires a solid architecture, but here are some initial thoughts...

    So it sounds like it is better to have "dedicated" Scripts, Style Sheets, Images, etc for secure pages??

    Maybe you even would want to double up and have Scripts, Style Sheets, Images, etc map to a specific secure page??

    In general, is there any easy way, approach, or even testing tool to ensure that...

    1.) You don't accidentally loop Jane User from a secure area back to a non-secure area, OR that

    2.) Jane User can't get to a secure area via a non-secure area OR that

    3.) There isn't some way for people to "hack" your URL and hope from non-secure to secure to non-secure areas??

    (Sorry, those are probably threads unto themselves?!) *LOL*


    There is no special code to switch into or out of a secure connection except the "https:" at the beginning of a URL. Make sure the user is using a secure connection before logging in (ie, the login page should be included in those pages that are only accessible via "https:").
    Okay.

    Thanks you Thomas!!

    Great information!!

    Sincerely,


    Amy

  22. #22
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,863
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    Is there a way to get a test SSL certificate?
    For testing purposes you can just make your own certificate and tell your browser to trust it (assuming you decide that you can trust that you are the one who actually made it )
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  23. #23
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    For testing purposes you can just make your own certificate and tell your browser to trust it
    Really?! Cool!

    So, is that hard to do?

    When I get a little closer to needing to do that, can you show me how?


    (assuming you decide that you can trust that you are the one who actually made it )
    Well, hopefully I can get a "simple majority" vote when the voices in my head vote on trusting me or not?!


    Amy

  24. #24
    SitePoint Zealot cpace1983's Avatar
    Join Date
    Sep 2009
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    Really?! Cool!

    So, is that hard to do?


    Amy
    Easy as pie, and automagically created usually when you install mod_ssl, or the dedicated HTTPS server for Apache (depending on Linux distro, if you're using Linux at all on your server).
    I am a Freelance Linux Consultant.
    I offer flat rate Linux support, as well as hourly support.
    Feel free to visit my blog, Ramblings of a Linux Administrator.

  25. #25
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    I have had FireFox flip out a few times and give me a screen with red font saying "This site is untrusted" of something like that when I have clicked on linkds from a Google search.

    Could this be what happened?
    From the way you describe the screen, it's probably unrelated. The site was probably on the blacklist that Firefox uses to detect sites such as Phishing sites or sites that try to install malware.

    However, there is a (yellow, from memory) screen which can pop up when entering a secure connection and the site's certificate does not validate with a trusted certificate authority. That screen has an 'add an exception' link which you can use if you are sure it's the site you wanted.

    So a phishing scheme (e.g. NotMyBank.com) could have a trusted certificate?!
    Yep. The point of the certificate is not to prove that someone is trusted, it's to prove who they are. So always check the domain name and decide if you trust it!

    Is there a way to get a test SSL certificate?
    A self-signed certificate is free to create, and anyone can create one (I won't go into instructions, as they are google-able). It is a good idea as a test certificate. It won't validate as being from a trusted CA on people's browsers, but they can add exceptions, or you can add yourself (the key the certificate was based on) as a trusted CA into your own browser, if you just want to test it locally.

    Also, when I am ready to get down to business and get a "real" SSL certificate, what kinds of information must I provide to get one?
    It varies by company. They should try to establish that you are the owner of the domain you are getting the certificate for. However it shouldn't require intimate details like bank account numbers. If you are getting an "EV" certificate it adds more security for users because they also supposedly test that your company name, or your personal name, is who you say it is.


    So it sounds like it is better to have "dedicated" Scripts, Style Sheets, Images, etc for secure pages??
    Well yes, but they can have exactly the same content though. They just need to be reachable by HTTPS and the ones on your regular site reachable by HTTP. If you are running two servers or virtual hosts you could probably use symlinks to do this, they don't have to be separate actual files on the server.
    In general, is there any easy way, approach, or even testing tool to ensure that...

    1.) You don't accidentally loop Jane User from a secure area back to a non-secure area, OR that
    Depending on the way you design your site, it should be simple. Try thinking of the secure site as a separate website.

    2.) Jane User can't get to a secure area via a non-secure area OR that
    3.) There isn't some way for people to "hack" your URL and hope from non-secure to secure to non-secure areas??
    There would not be any real benefit to them doing this I don't think, at least in most normal circumstances. A secure connection protects the end user, so if someone did figure out that they could change from HTTPS to HTTP on part of your secure site, the only downside is that that person's privacy might be compromised.

    The reason you'd want to prevent someone accidentally straying into a non-secure part of the site without realising it, is that they might then give private information, like their address or credit card details, not realising that the connection is no longer secure.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •