Using SSL for your user cpanels and admin area?

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
Are you using SSL for your cpanels? Have you considered it?

If you have used SSL, besides creating/purchasing security cert and enabling SSL on your server, how do you go about setting up VB to secure the areas of your control panels?
 

jilly

Fan
Joined
Jan 14, 2004
Messages
929
Not Yet...

but isnt the admin cp secured by our license numebr now? wont that be a bigger stop than SSL? ( i dont know much about SSL)
 

Ogden2k

01001111
Joined
Jan 6, 2004
Messages
1,116
I don't think you have to go as far as using SSL. htaccess does the job.
 

wizard1974uk

Tazmanian Gremlin
Joined
Jan 6, 2004
Messages
5,764
jilly said:
but isnt the admin cp secured by our license numebr now? wont that be a bigger stop than SSL? ( i dont know much about SSL)
No,

Are you thinking about when you upgrade?
 

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
I was thinking about the use of SSL for user log-ins. User control panel stuff for sites that might need added security for their members.

I didn't know if anyone had used the SSL of their site to encrypt and protect the info of their users for them?
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
In order to use SSL for logins, you would have to edit any links to https://www.yourforum.com/login.php. That is basically it. The Browser and server handle the rest. Most scripts should automatically adjust.
 

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
Ahhh, this was easy since I had SSL on my server already. I checked it by using https for my log in and control panel links and wah-la! THe ssl functions at that point and within the control panel. Means I could have a link for "secured log-in" for my members. ;)
 

floris

Habitué
Joined
Jan 17, 2004
Messages
1,342
jilly said:
but isnt the admin cp secured by our license numebr now? wont that be a bigger stop than SSL? ( i dont know much about SSL)
No, I don't think the license number is an extra security for the control panels on your site. Only the install/upgrade scripts use this.

Ogden2k said:
I don't think you have to go as far as using SSL. htaccess does the job.

Yes, I use .htaccess/.htpasswd on a per user basis for the admincp/ and modcp/ directories.

And I have renamed these directories, so automated hacking scripts will end up with a 404 which redirects them back to the forum index.

I think the control panels use https:// and telnet/ssh access is restricted to the person who owns the system.
 

Malice

Aspirant
Joined
Feb 5, 2004
Messages
35
I woul love to see a site implement it, but I dont think its trully realistic at times...
 

Anonymous

Habitué
Joined
Jan 6, 2004
Messages
1,319
If I'm not mistaken when you set up ssl your have a seperate root folder that is served on port 443, https. You'd litterally have to split the site and use a bunch of redirects between https and http. For vB I believe it's all or nothing on ssl without a monumental mod. A secure login page only is like a warm blanket at best.
 

Malice

Aspirant
Joined
Feb 5, 2004
Messages
35
noppid said:
If I'm not mistaken when you set up ssl your have a seperate root folder that is served on port 443, https. You'd litterally have to split the site and use a bunch of redirects between https and http. For vB I believe it's all or nothing on ssl without a monumental mod. A secure login page only is like a warm blanket at best.

Yup...
You basically would have to be pushed to a secured server...away from the regular web box your board is logged on.

NOW...some people would then think...why not make the entire board secure...that benefits the users as well....humm...
 

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
I have SSL working on my site and can easily create a "secured log-in" just by altering the url to the cpanel for the members. I have SSL mirroring the public html directory.

I don't want to use it across the whole site but for sites that need more security, it certainly works.

My ssl kicks in for my members when they are upgrading their membership in subscriptions within their control panel. ;)
 

Anonymous

Habitué
Joined
Jan 6, 2004
Messages
1,319
I don't understand that one bit, but the fact is a secure login page is really useless. Either the whole session is secure or it's not. You don't pick and choose where the encryption kicks in and expect to be secure on a cookie driven site.
 

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
I don't understand it either. But the truth is..it works. They can log in anywhere normally...but when they want to upgrade and provide CC info, the SSL begins while they are within their control panel and their cc info is encrypted.

I was told that my users could log in using the https for the control panel for complete security to all their options. I don't use it...Don't see the need at this point. But its essential to processing credit cards. ;)
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
noppid said:
If I'm not mistaken when you set up ssl your have a seperate root folder that is served on port 443, https. You'd litterally have to split the site and use a bunch of redirects between https and http. For vB I believe it's all or nothing on ssl without a monumental mod. A secure login page only is like a warm blanket at best.
You can point the HTTP Root for Port 443 directly to your standard webroot. There is no rule that says it has to be a different directory.
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
noppid said:
I don't understand that one bit, but the fact is a secure login page is really useless. Either the whole session is secure or it's not. You don't pick and choose where the encryption kicks in and expect to be secure on a cookie driven site.
The difference is that what is sent in forms is encrypted. I do agree that the entire session would have to be encrypted for the benefits to work and you just access everything from https:// (i.e. port 443) and it will all be encrypted by the SSL protocols.
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
Malice said:
Yup...
You basically would have to be pushed to a secured server...away from the regular web box your board is logged on.
This would only take effect if you are using a shared certificate provided by an inept hosting provider. There is no reason for this to be standard practice.
 
Top