access to the site should use SSL #224
Comments
|
My experience in the past has been that it is easier (and no less safe) to put the SSL over the whole site, rather than trying to get it to cover only some pages. It does not, in the main, harm your accessibility in any way. So I'd redirect all HTTP to HTTPS when you set it up, and leave it at that. |
|
It is worth checking that your certificate is properly located by dumber earlier versions of IE (I want to say IE 7, but I'm not sure) some of which (under XP, if I'm not mistaken) ask for the wrong file. I'm afraid I don't have the details of this problem (and its solution) to hand, but I'll try to track them down. |
|
Yep, agreed --- i think SSL over the whole site is easiest. Just wanted to make clear in the ticket report that the passwords are the main issue. |
|
searching for: Why do I get I/O errors when connecting via HTTPS to an Apache+mod_ssl http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html So it might or might not be a problem here, depending on our setup? (IE: so broken it as its own entry in the ssl faq for apache.) |
|
That's a good catch, Caligari! |
|
Just another reason to use HTTPS: http://nakedsecurity.sophos.com/2014/08/07/how-google-plans-to-get-us-all-using-https/ |
|
Right, looks like we might to move this up in our priorities. Limax seems to be having firewall or noscript issues from work, and Julian reckons that a change to SSL might fix this issue for him. |
|
I'm choosing this as my BotM for February. |
|
FWIW I have bought many SSL certs over the years and the cheapest one I have found that actually works and isn't from some shady website is Comodo PositiveSSL from Namecheap's store it's $9/yr. I would love to donate some money to cover the SSL costs for a few years. https://www.namecheap.com/security/ssl-certificates/comodo/positivessl.aspx |
|
Thanks, Dan. We'll try hard to get to this in the next few months. |
|
Yah, I have bought a few from the same site - namecheap reselling comodo positiveSSL. Was pretty straightforward to get the certificate and plug it into nginx, which is what I use for my reverse-proxy whatever for all my production webapps. The only real tricky bits are if you are really into security and want to deal with export attacks or weaknesses in the elliptical curve something or other. Even then, it's mostly config files. I'd just rather (a) not having the site subject to ad injection from third party ISPs and (b) not having my password transmitted in the clear. Neither of those require super-complicated big-expense certs. |
|
Current plan is to create a self-signed cert that puppet installs for non-public (other than dev.buttonweavers.com and www.buttonweavers.com) instances and a cert from www.letsencrypt.org for those. |
|
How are we going with this, @lukehankins? Any progress? |
|
Real life has intruded, unfortunately, so no progress to report. Happy to unassign it if anyone else wants to snag it. |
|
Is there a chance that you might be able to work on this sometime before Christmas? Or are you flat out? |
|
Flat out, unfortunately. I've unassigned it. |
|
I have a top tip from a friend who I just happened to bump into on the train today. He says that he used Let's Encrypt to enable SSL on his private Ubuntu server, and the whole process took in the order of 15 minutes, start to finish. The certificate and process is free (although they're open for donations), and the certificates are automatically renewed. When we do the site upgrade, I think it would be worth trying this out. |
|
The specific instructions for Apache on Ubuntu are here: |
|
ya i would now redact my earlier advice (2016) and suggest Let's Encrypt. any assistance needed here? |
|
I believe that Chaos has had good experiences with Let's Encrypt in another private project of hers, so she's also thinking this is the way to go---and it's on her list of things to do, if I understand correctly. |
We should serve the website via HTTPS as well as HTTP, and we should force access to pages which send passwords back and forth (meaning the Newuser stuff, the Login stuff, and responder.php itself unless we can split out the login functions of responder into a different file) to occur via HTTPS. The purpose is to protect passwords from being sent in cleartext.
The text was updated successfully, but these errors were encountered: