Jump to content

Clients Wants Https


Recommended Posts

Though I have been building and programping php websites for quite a few years now, but I have finally have a client now that wants a secure website and is asking about SSL and https. I have nerver used https myself, though I have heard it is not big problem.


The client specific needs are that he wants to use a forum or/and chat room for his own clients so that they can discuss their International trading needs.


Can I use a opensource forum software like phpBB and connect to it through a https url? Will the forum (or any forum) keep the https connection as the user moves about the forum?


Anyone think it is a good idea to initially protect the forum by placing it inside a password protected directory and give the small groups of users their passwords to the directory?


I will apreciate anyone's comment on this matter. I don't want to promise the client something I cannot give.




Link to comment
Share on other sites

Using a password protected folder would be a good idea, since HTTPS would only protect the data transmission between your clients and the server but anyone could still access the forums.


After that, you should only need to set the "Cookie secure" option to "Enabled", in the administration panel and you're ready to go.

Link to comment
Share on other sites

Don't want to poke any holes in anything, but...

It appears that your customer does not fully understand SSL or secure websites. The site itself and its data are not secured by the use of SSL and an https in the URL, even though the site has https in the URL. SSL and https only cover the data transmission from the client to the server and vice versa. Not the actual data on the server. This makes it difficult to decrypt the data should it be caught with a sniffer (read not impossible, but not worth it for most folks). To completely encrypt the data, you would have to install encrypt/decrypt software on the client machines and upload the data to the server in an encrypted form. Then, as the client was viewing the site, the local program would decrypt the data into a readable format.

This is a very secure method, but probably beyond what your client wants/needs/is willing to pay for. To give you an idea... I have only encountered 3 actual encrypted data sites in my lifetime. And those were 24-bit at best, but still unreadable to the normal person without some decrypt knowledge/technology.

What Raul said above is going to give you secure transactions during the course of interactiong with the site using SSL. And a protected (read "not secure") area of the site for their discussions and interactions. This protection is only as strong as the passwords used, though, so enforce complex passwords if they are really that concerned about it.


Let us know if there is anything else we can held you with.


EDIT: Make sure that you instruct cache bots to not index the site or the areas with links to the protected area so no one knows it is there that shouldn't. This will lessen the possibility of bored kids trying to run crackers on it.

Edited by TCH-Glenn
Link to comment
Share on other sites

Thanks Raul and Glenn.


Raul, do you mean the setting the setting secure cookie in the cpanel or phpBB administraton? I have not use phpBB yet so I am not sure if that is what you meant.


Glenn, I plan to use the no-cache meta and us a robot.txt that tells the robots not to follow. You are also rigtht in that this client doesn't want to spend big bucks.


I want to re-ask one of my questions from above:


The bbs (like phpBB) would not have a problem using https connection?


New Question:

Would there any problems using the community SSL certificate or should the client, in this case, get his own?

Link to comment
Share on other sites

Bobby, I meant in the phpBB administration panel.


I don't think phpBB has any problem with HTTPS. I've seen posts about how to use it that way, on phpBB's official forums, so I'm supposing it has no problem at all.


Glenn, good points, thanks for reminding us about them :dance:

Edited by TCH-Raul
Link to comment
Share on other sites

  • 2 weeks later...

theonly problem you may encounter using the shared SSL from TCH is that some security levels within browsers will report a warning/failure because the site listed on the certificate does not actually match the domain name they are accessing. This warn/fail is OK, and can be ignored. You would just need to alert the clients that this will happen and to ignore it, but that the site is still using 128-bit SSL technology during their visit.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...