On Fri, Jan 20, 2006 at 09:58:03AM -0500, Jeffrey Barnett wrote:
> Thanks all. I guess that proves just *how* clueless I am. :(
>
Admitting cluelessness is a good way to learn quickly.
> Ross Singer wrote:
> >This has nothing to do with PHP - they need to set up SSL on their web
> >server.
> >
> >-Ross.
> >
This is true. I went to a great talk on SSL and TLS last night, so
I'm feeling a little more knowledgeable about it today. Kevin does a
good job of describing how it works in his response. The wikipedia
page (http://en.wikipedia.org/wiki/HTTPS) is also pretty good.
> >Jeffrey Barnett wrote:
> >
> >>Can someone tell me how to enable https for a particular php
> >>script? I was just looking at the newly created Library Success
> >>Wiki http://www.libsuccess.org/ and noticed that its login page is
> >>unencrypted.
> >>
As you can see from the explanations, it's quite a chore to implement.
This is mostly because the web (TCP/IP) was designed with flexibility,
not security, as the main goal. Security was more of an afterthought.
One effect of this is that each certificate granted by a certificate
authority is bound to an IP address, not a domain name. That means
that libsuccess.org, which is at a hosting service, cannot have it's
own certificate because it shares an IP address with many other sites.
("dig a libsuccess.org" shows me its IP address is 207.58.129.101,
which goes to a blank cPanel page in my web browser.) That means any
https connections would involve trusting a certificate given to
another domain, and would most likely be handled at another server
that would create a session ID before sending you back to regular http
libsuccess.org. Gmail works something like this -- the https login is
handled by an https server with its own IP address and a certificate
given to Google by Thawte (go to https://gmail.com and click "View
Certificate" to see this). Once your username and password are
verified, you check your email in unencrypted http at another server.
You might want to ask why you want the login page to be https. No
wiki I know of uses ssl/tls. The information they're handling is
simply not private enough to demand it. Most web email providers use
https at the login stage because if someone else gets access to your
email account that person can do a lot of damage -- some through
impersonation, and some through going through your emails and
gathering personal information. If someone gets access to the wiki
account you create, what can they do? Not much. They can impersonate
you for a short while, but they don't have access to any private
information about you. Incidentally, that's why it's a good idea to
have one username and password combination for less secure sites and
another (or two or three) for transactions that involve, or sites that
store, personal information (financial, medical, etc.).
gsf
