Technical Discussion
  >> Web Design / HTML / Web hosting Forum


Register (or login) on our website and you will not see this ad.


These posts have been archived and can no longer be replied to or modified.
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User RobertoS
(legend) Sun 17-Jan-10 15:22:59
Print Post

Encryption using https


[link to this post]
 
I have been reading up via Wikipedia and HTML books but ended up very confused.

On the face of it what I want to do is simple.

I intend to have a database on a webite such as robertos.me.uk below, (but not that one), with visitors able to register on the site then log in to update the database.

I therefore need to have a secure method of handling the registration and login.

If I merely put the relevant pages in my hosts httpsdocs folder, does that cause the host's system to handle all the TLS encryption stuff, so I can ignore the problem, or does it just signify to the user that encryption is in force and I have to code it all?

Bob's broadband basic info/help site:
www.robertos.me.uk
ISP history: Demon dialup >> Freeserve dialup >> BT Broadband >> Prodigynet >> Newnet >> O2 Standard.
Purple Cloud for domain, email and web space.
Standard User deleted
(deleted) Sun 17-Jan-10 15:44:36
Print Post

Re: Encryption using https


[re: RobertoS] [link to this post]
 
Why do you want it to run through HTTPS? You would only need that when handling secure information such as transactions or or bank details - unless that is what you want to do...
What you want to do can be done with PHP and sessions...
Standard User deleted
(deleted) Sun 17-Jan-10 15:51:31
Print Post

Re: Encryption using https


[re: RobertoS] [link to this post]
 
In reference to www.purplecloud.com/faq:
Do you offer SSL?

You can host files using https - simply place the files in the httpsdocs directory instead of the standard httpdocs. However, because we operate a shared hosting platform, the SSL certificate used will not match your domain name. This means that most browsers will display a trust warning to people visiting your secured site, even though the communication is secured.


Register (or login) on our website and you will not see this ad.

Standard User RobertoS
(legend) Sun 17-Jan-10 16:03:08
Print Post

Re: Encryption using https


[re: deleted] [link to this post]
 
In reply to a post by BatBoy:
In reference to www.purplecloud.com/faq:
Do you offer SSL?

You can host files using https - simply place the files in the httpsdocs directory instead of the standard httpdocs. However, because we operate a shared hosting platform, the SSL certificate used will not match your domain name. This means that most browsers will display a trust warning to people visiting your secured site, even though the communication is secured.
Yes, I read that a while ago and it just added to my confusion.

I think it says that it is all handled for me, as per my question, but as I don't have my own certificate it would issue the warning - similar to what I get when I go to look at the webstats for robertos.me.uk.

That would be a pain!

Bob's broadband basic info/help site:
www.robertos.me.uk
ISP history: Demon dialup >> Freeserve dialup >> BT Broadband >> Prodigynet >> Newnet >> O2 Standard.
Purple Cloud for domain, email and web space.
Standard User RobertoS
(legend) Sun 17-Jan-10 16:14:34
Print Post

Re: Encryption using https


[re: deleted] [link to this post]
 
In reply to a post by metalhead41:
Why do you want it to run through HTTPS?
Because I haven't a clue about the security measures I need to take. I assumed that was the correct way.
You would only need that when handling secure information such as transactions or or bank details - unless that is what you want to do...
What you want to do can be done with PHP and sessions...
I am using PHP at an introductory/non-expert level. I shall read up Sessions - thanks for the pointer.

All I'm trying to do is make the username and password non-sniffable. The data itself is not likely to be critical, though it would be highly awkward if someone easily picked up the name and password then logged in and altered the data.

As BatBoy says, Purple Cloud seem to handle it, but not in a satisfactory manner without hassle re certificates.

Bob's broadband basic info/help site:
www.robertos.me.uk
ISP history: Demon dialup >> Freeserve dialup >> BT Broadband >> Prodigynet >> Newnet >> O2 Standard.
Purple Cloud for domain, email and web space.
Standard User deleted
(deleted) Sun 17-Jan-10 16:39:10
Print Post

Re: Encryption using https


[re: RobertoS] [link to this post]
 
SSL certificates are a rip-off. I used to use self-signed certificates just to make sure data transfer to/from a site was secure and wasn't at all interested in proving the authenticity of the site. Then Microsoft came along with their stupid browser updates and show the site as insecure because the certificate is self signed.

In your situation I'd use the httpsdocs solution and train your users.
Standard User deleted
(deleted) Sun 17-Jan-10 16:56:20
Print Post

Re: Encryption using https


[re: RobertoS] [link to this post]
 
Yeah, that's how I read it too.
Standard User deleted
(deleted) Sun 17-Jan-10 17:20:30
Print Post

Re: Encryption using https


[re: deleted] [link to this post]
 
Don't use a self-signed certificate. Use a proper one.
Standard User deleted
(deleted) Sun 17-Jan-10 18:27:33
Print Post

Re: Encryption using https


[re: RobertoS] [link to this post]
 
If it's non-critical data, you definitely don't need to go down the SSL route.

If you get it right with PHP Sessions, your site will be secure. Passwords can be set using an md5 hash so it's encrypted when put into the database. Are you creating logins for people to actually modify a database, or are you looking at a user logs in and gets a user area?
Standard User RobertoS
(legend) Sun 17-Jan-10 19:29:08
Print Post

Re: Encryption using https


[re: deleted] [link to this post]
 
One database with info from many users. Each will be able to update his own data and no-one else's, but I may want them to be able to allow viewing by others. Possibly also allowing viewers to copy from it into their own as well.

At the moment I envisage one set of files with a user ID on the data rows, but might change my mind to ID-identified clones for performance. I don't think that affects this issue - it will be just a case of how I handle things internally.

Basically I'm OK with programming and databases, but C++/SQLServer on LANs before the days of Intranets, not HTML/PHP/MySQL on websites.

At the moment I can manage an unsecured login and update/display a database. I just want to sort this out before going into the main development rather than bolt it on later. Post-fitting security can be hell.

Thanks to all so far smile.

Bob's broadband basic info/help site:
www.robertos.me.uk
ISP history: Demon dialup >> Freeserve dialup >> BT Broadband >> Prodigynet >> Newnet >> O2 Standard.
Purple Cloud for domain, email and web space.
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to