For the record, I'm not quite *that* clueless. I know how ssl works, I was just forgetting that php is simply another cgi script from Apache's viewpoint. I was getting it mixed up the the other "P" (python) that has its own web server package (and thus its own https configuration methods). Gabriel S Farrell wrote: > On Fri, Jan 20, 2006 at 09:58:03AM -0500, Jeffrey Barnett wrote: > >>Thanks all. I guess that proves just *how* clueless I am. :( >> > > Admitting cluelessness is a good way to learn quickly. > > >>Ross Singer wrote: >> >>>This has nothing to do with PHP - they need to set up SSL on their web >>>server. >>> >>>-Ross. >>> > > This is true. I went to a great talk on SSL and TLS last night, so > I'm feeling a little more knowledgeable about it today. Kevin does a > good job of describing how it works in his response. The wikipedia > page (http://en.wikipedia.org/wiki/HTTPS) is also pretty good. > > >>>Jeffrey Barnett wrote: >>> >>> >>>>Can someone tell me how to enable https for a particular php >>>>script? I was just looking at the newly created Library Success >>>>Wiki http://www.libsuccess.org/ and noticed that its login page is >>>>unencrypted. >>>> > > As you can see from the explanations, it's quite a chore to implement. > This is mostly because the web (TCP/IP) was designed with flexibility, > not security, as the main goal. Security was more of an afterthought. > > One effect of this is that each certificate granted by a certificate > authority is bound to an IP address, not a domain name. That means > that libsuccess.org, which is at a hosting service, cannot have it's > own certificate because it shares an IP address with many other sites. > ("dig a libsuccess.org" shows me its IP address is 207.58.129.101, > which goes to a blank cPanel page in my web browser.) That means any > https connections would involve trusting a certificate given to > another domain, and would most likely be handled at another server > that would create a session ID before sending you back to regular http > libsuccess.org. Gmail works something like this -- the https login is > handled by an https server with its own IP address and a certificate > given to Google by Thawte (go to https://gmail.com and click "View > Certificate" to see this). Once your username and password are > verified, you check your email in unencrypted http at another server. > > You might want to ask why you want the login page to be https. No > wiki I know of uses ssl/tls. The information they're handling is > simply not private enough to demand it. Most web email providers use > https at the login stage because if someone else gets access to your > email account that person can do a lot of damage -- some through > impersonation, and some through going through your emails and > gathering personal information. If someone gets access to the wiki > account you create, what can they do? Not much. They can impersonate > you for a short while, but they don't have access to any private > information about you. Incidentally, that's why it's a good idea to > have one username and password combination for less secure sites and > another (or two or three) for transactions that involve, or sites that > store, personal information (financial, medical, etc.). > > gsf