skaterdav85 Posted December 13, 2009 Share Posted December 13, 2009 I did some research on SSL, but can someone explain to me simply what an SSL certificate does besides providing "security through the use of cryptography and properly authenticated digital certificates."? Are they only used when you have credit card transactions over the web, or is it also good to have them for user accounts on basic sites? If I bought an SSL certificate with my hosting plan, do I need to do any kind of configuration? Link to comment Share on other sites More sharing options...
Synook Posted December 13, 2009 Share Posted December 13, 2009 A SSL certificate:a) allows you to use SSL (i.e. HTTPS) authentication on your domain, andb) identifies your site.It basically allows you to encrypt the traffic that goes between your servers and the clients, so that any data intercepted is useless. That way hackers can't determine passwords, credit card numbers, and other secure details through such interception attacks.It also identifies your site, so that people can be assured that they really are visiting abc.com (or whatever it says on the certificate), and aren't victims of attacks such as DNS poisoning. Link to comment Share on other sites More sharing options...
skaterdav85 Posted December 13, 2009 Author Share Posted December 13, 2009 when you add an SSL certificate to your site, is there a lot of configuration? Is it simply you buy it, and all data transmission from server to client is encrypted?if you used some kind of one-way encryption for passwords on user accounts like SHA() in php, would you still need an SSL certificate? Link to comment Share on other sites More sharing options...
Synook Posted December 13, 2009 Share Posted December 13, 2009 when you add an SSL certificate to your site, is there a lot of configuration? Is it simply you buy it, and all data transmission from server to client is encrypted?Not quite, you have to point visitors to use the https:// protocol for data to be encrypted, any data sent over normal HTTP is still in plain. Your server also needs to support SSL, e.g. through something like mod_ssl on Apache.if you used some kind of one-way encryption for passwords on user accounts like SHA() in php, would you still need an SSL certificate?Server-side encryption is designed to protect a different part of the information life cycle - the storage part. However, the sort of encryption afforded by SSL protects data as it is transferred between the server and the client - something server-side encryption can't do.Client <---SSL---> Server ---SHA()---> Database Link to comment Share on other sites More sharing options...
skaterdav85 Posted December 13, 2009 Author Share Posted December 13, 2009 Not quite, you have to point visitors to use the https:// protocol for data to be encrypted, any data sent over normal HTTP is still in plain. Your server also needs to support SSL, e.g. through something like mod_ssl on Apache.what do you mean i would have to point visitors to use the https:// protocol? example? Link to comment Share on other sites More sharing options...
Synook Posted December 14, 2009 Share Posted December 14, 2009 E.g. <a href="https://my.secure.site/login.php">Secure login</a> Link to comment Share on other sites More sharing options...
skaterdav85 Posted December 14, 2009 Author Share Posted December 14, 2009 [quote name='Synook' post='157680' date='Dec 13 2009, 07:13 PM']E.g.[code]<a href="https://my.secure.site/login.php">Secure login</a>[/code][/quote]ohhh....so you basically just need to use the absolute path with https://. And im guessing that using a relative path will just use http:// by default? Link to comment Share on other sites More sharing options...
Synook Posted December 14, 2009 Share Posted December 14, 2009 It will use whatever protocol the page containing the link used. Link to comment Share on other sites More sharing options...
justsomeguy Posted December 14, 2009 Share Posted December 14, 2009 when you add an SSL certificate to your site, is there a lot of configuration?You generally need to create a certificate request (CSR) on the server, then when you buy the certificate it asks you to paste in the CSR, where it gets information about the domain name and company. Then it give you the certificate text, and you need to go back into whatever you were using to generate the CSR and paste in the cert text, which should install the certificate. Without a lot of extra configuration, you can only really use one SSL certificate per IP, and each certificate only applies to a single domain (a certificate that applies to w3schools.com does not apply to www.w3schools.com). It's possible to set up wildcard certificate to apply to subdomains, or to host several SSL sites on the same IP and server, but it usually takes a lot more configuration than what you get from most SSL setup wizards or whatever other interfaces are out there. If you have an Apache server using cPanel for example, you can't set that up through either cPanel or WHM, you need to edit the Apache configuration files directly to set up a wildcard or multiple secured domains. It's pretty easy to set up a single server with a single certificate though.You can also use PHP to detect if they connected over SSL and redirect to the SSL page if you want to, the $_SERVER['HTTPS'] variable will be set to "on" if they connected via HTTPS. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.