On Fri, Jan 20, 2006 at 09:58:03AM -0500, Jeffrey Barnett wrote: > Thanks all. I guess that proves just *how* clueless I am. :( > Admitting cluelessness is a good way to learn quickly. > Ross Singer wrote: > >This has nothing to do with PHP - they need to set up SSL on their web > >server. > > > >-Ross. > > This is true. I went to a great talk on SSL and TLS last night, so I'm feeling a little more knowledgeable about it today. Kevin does a good job of describing how it works in his response. The wikipedia page (http://en.wikipedia.org/wiki/HTTPS) is also pretty good. > >Jeffrey Barnett wrote: > > > >>Can someone tell me how to enable https for a particular php > >>script? I was just looking at the newly created Library Success > >>Wiki http://www.libsuccess.org/ and noticed that its login page is > >>unencrypted. > >> As you can see from the explanations, it's quite a chore to implement. This is mostly because the web (TCP/IP) was designed with flexibility, not security, as the main goal. Security was more of an afterthought. One effect of this is that each certificate granted by a certificate authority is bound to an IP address, not a domain name. That means that libsuccess.org, which is at a hosting service, cannot have it's own certificate because it shares an IP address with many other sites. ("dig a libsuccess.org" shows me its IP address is 207.58.129.101, which goes to a blank cPanel page in my web browser.) That means any https connections would involve trusting a certificate given to another domain, and would most likely be handled at another server that would create a session ID before sending you back to regular http libsuccess.org. Gmail works something like this -- the https login is handled by an https server with its own IP address and a certificate given to Google by Thawte (go to https://gmail.com and click "View Certificate" to see this). Once your username and password are verified, you check your email in unencrypted http at another server. You might want to ask why you want the login page to be https. No wiki I know of uses ssl/tls. The information they're handling is simply not private enough to demand it. Most web email providers use https at the login stage because if someone else gets access to your email account that person can do a lot of damage -- some through impersonation, and some through going through your emails and gathering personal information. If someone gets access to the wiki account you create, what can they do? Not much. They can impersonate you for a short while, but they don't have access to any private information about you. Incidentally, that's why it's a good idea to have one username and password combination for less secure sites and another (or two or three) for transactions that involve, or sites that store, personal information (financial, medical, etc.). gsf