Print

Print


For the record, I'm not quite *that* clueless.  I know how ssl works,  I
was just forgetting that php is simply another cgi script from Apache's
viewpoint.  I was getting it mixed up the the other "P" (python) that
has its own web server package (and thus its own https configuration
methods).

Gabriel S Farrell wrote:
> On Fri, Jan 20, 2006 at 09:58:03AM -0500, Jeffrey Barnett wrote:
>
>>Thanks all. I guess that proves just *how* clueless I am.  :(
>>
>
> Admitting cluelessness is a good way to learn quickly.
>
>
>>Ross Singer wrote:
>>
>>>This has nothing to do with PHP - they need to set up SSL on their web
>>>server.
>>>
>>>-Ross.
>>>
>
> This is true.  I went to a great talk on SSL and TLS last night, so
> I'm feeling a little more knowledgeable about it today.  Kevin does a
> good job of describing how it works in his response.  The wikipedia
> page (http://en.wikipedia.org/wiki/HTTPS) is also pretty good.
>
>
>>>Jeffrey Barnett wrote:
>>>
>>>
>>>>Can someone tell me how to enable https for a particular php
>>>>script?  I was just looking at the newly created Library Success
>>>>Wiki http://www.libsuccess.org/ and noticed that its login page is
>>>>unencrypted.
>>>>
>
> As you can see from the explanations, it's quite a chore to implement.
> This is mostly because the web (TCP/IP) was designed with flexibility,
> not security, as the main goal.  Security was more of an afterthought.
>
> One effect of this is that each certificate granted by a certificate
> authority is bound to an IP address, not a domain name.  That means
> that libsuccess.org, which is at a hosting service, cannot have it's
> own certificate because it shares an IP address with many other sites.
> ("dig a libsuccess.org" shows me its IP address is 207.58.129.101,
> which goes to a blank cPanel page in my web browser.)  That means any
> https connections would involve trusting a certificate given to
> another domain, and would most likely be handled at another server
> that would create a session ID before sending you back to regular http
> libsuccess.org.  Gmail works something like this -- the https login is
> handled by an https server with its own IP address and a certificate
> given to Google by Thawte (go to https://gmail.com and click "View
> Certificate" to see this).  Once your username and password are
> verified, you check your email in unencrypted http at another server.
>
> You might want to ask why you want the login page to be https.  No
> wiki I know of uses ssl/tls.  The information they're handling is
> simply not private enough to demand it.  Most web email providers use
> https at the login stage because if someone else gets access to your
> email account that person can do a lot of damage -- some through
> impersonation, and some through going through your emails and
> gathering personal information.  If someone gets access to the wiki
> account you create, what can they do?  Not much.  They can impersonate
> you for a short while, but they don't have access to any private
> information about you.  Incidentally, that's why it's a good idea to
> have one username and password combination for less secure sites and
> another (or two or three) for transactions that involve, or sites that
> store, personal information (financial, medical, etc.).
>
> gsf