Wedge

Public area => The Pub => Plugins => Topic started by: Bunstonious on September 24th, 2014, 07:35 AM

Title: Suggestion: HTTPS Login
Post by: Bunstonious on September 24th, 2014, 07:35 AM
Hi guys,

Just putting it out there, how easy / hard would it be to run only the login pages over HTTPS and the rest of the site through HTTP? Is there any benefit of that over running the entire thing over HTTPS?
Title: Re: Suggestion: HTTPS Login
Post by: Pandos on September 24th, 2014, 09:54 AM
What's the benefit of doing only https for the login?

The best would be to let your site running completely over https. Also Google implement https as a ranking signal for sites.

But you can always choose to redirect your users from your webserver to specific pages (.htaccess).
Title: Re: Suggestion: HTTPS Login
Post by: Nao on September 24th, 2014, 11:41 AM
AFAIK, if you're not in https, worst case situation is someone can steal your session ID, although I'm not sure it'd allow them to do a lot...
Login page in https means your hashed password is transmitted safely, but people can't steal your password itself, only your access to your account, which is barely better than getting a session ID.

Hmm, makes me think... Shouldn't we store two hashes for admins...? One hash for their account, and one hash for their admin verification (same password, different salt). That would probably make the whole thing even safer, I don't know..?

Regarding https, last week I spent a couple of hours configuring a free SSL certificate for wedge.org, until I realize, at install time, that it required to have a stand-alone IP, i.e. no virtual host, like wedge.org is using... Oops! So, that's a waste of a certificate for me, I guess... Unless I move to a server with a dedicated IP :-(
And I'm not ready to move yet, as I switched ISPs this month, and the new one has a shorter and faster path to alwaysdata.com, meaning the site is finally blazing fast for me... :lol: Unless the server was upgraded in the meantime, I don't know...
Title: Re: Suggestion: HTTPS Login
Post by: Nao on September 24th, 2014, 12:16 PM
Two more details...

- Yes, forcing the login page into HTTPS is probably possible, but I'm not willing to put work into that (because of the above mostly),
- And among the disadvantages of HTTPS are that it's slower. But AFAIK, HTTP/2.0 should be based off SPDY and has the secure flag enabled by default, so it should be as fast as HTTP/1.1 without the penalties incurred by HTTPS, I think. I'm not sure how SSL certificates will work for HTTP/2 though, since it's a PITA to build them, and dedicated IPs are a real problem on shared hosting, obviously...

:edit: Apparently, if you have no SSL certificate, then you can't use HTTP/2... Simple as that, uh.
Posted: September 24th, 2014, 11:45 AM

It's more complicated than that; apparently, nothing is set in stone regarding HTTP/2, so I'll just wait until something more concrete surfaces...
Anyway, I've just gone to the https version of wedge.org, and posting from it, and I'm happy to report that apparently it's working fine (once of course you get past the browser prompting you to accept the certificate as it's signed for alwaysdata, not for wedge.org).
Title: Re: Suggestion: HTTPS Login
Post by: Pandos on September 24th, 2014, 02:00 PM
Cool! :cool:
If you login via https, all your requests will be answerded from https.

So for me it makes sense to hash the admin with separate salts.

And yes. SPDY will be faster. There are several extensions for apache and other webservers to get the full benefit from SPDY (mod_spdy, etc).
Title: Re: Suggestion: HTTPS Login
Post by: Kian on September 24th, 2014, 10:22 PM
I've tried a while ago setting up my forum in full forced HTTPS with a certificate signed with a trusted authority. You can get one for free at https://www.startssl.com/

There was a very big turn down : people in forums use hot-links, for pictures. It's bad but they do it. And if you force your forum in HTTPS and the hot-links are HTTP, all navigators will warn you all the time about this being insecure with a mixed HTTP/HTTPS.

This is very annoying and there's nothing we can do about it. People can change this setting in their navigator but you cant expect them to do so.

I went back to HTTP for that single problem.

However, having the logon screen in HTTP is IMO possible, and without Nao doing anything ! You'll just need an HTTPS vhost for the signon and a rewrite rule and redirection on the HTTP vhost for the logon. Then, a redirection to the HTTP host. I'm pretty sure it's doable.
Title: Re: Suggestion: HTTPS Login
Post by: Kian on September 24th, 2014, 10:31 PM
Quote from Nao on September 24th, 2014, 11:41 AM
Regarding https, last week I spent a couple of hours configuring a free SSL certificate for wedge.org, until I realize, at install time, that it required to have a stand-alone IP, i.e. no virtual host, like wedge.org is using... Oops! So, that's a waste of a certificate for me, I guess... Unless I move to a server with a dedicated IP :-(
Nowadays, virtual hosting with HTTPS is possible, meaning you don't need a dedicated IP address.
The only problem is that it is not compatible with Windows XP + IE6.

https://fr.wikipedia.org/wiki/Server_Name_Indication
Title: Re: Suggestion: HTTPS Login
Post by: Bunstonious on September 24th, 2014, 11:17 PM
Quote from Kian on September 24th, 2014, 10:31 PM
Quote from Nao on September 24th, 2014, 11:41 AM
Regarding https, last week I spent a couple of hours configuring a free SSL certificate for wedge.org, until I realize, at install time, that it required to have a stand-alone IP, i.e. no virtual host, like wedge.org is using... Oops! So, that's a waste of a certificate for me, I guess... Unless I move to a server with a dedicated IP :-(
Nowadays, virtual hosting with HTTPS is possible, meaning you don't need a dedicated IP address.
The only problem is that it is not compatible with Windows XP + IE6.

https://fr.wikipedia.org/wiki/Server_Name_Indication
Yeah this is how I do it, and I roll with a Dynamic IP Address.

Plus I use StartSSL for my certs.

So what is exactly is sent from client to browser that could be intercepted by a 3rd party? (e.g. via a proxy or man in the middle)

PS: I think WXP + IE6 users need to not work, so they will upgrade.
Title: Re: Suggestion: HTTPS Login
Post by: Kian on September 24th, 2014, 11:19 PM
I would guess the login and password are sent in plain text from the browser to the server ?
Quote from Bunstonious on September 24th, 2014, 11:17 PM
PS: I think WXP + IE6 users need to not work, so they will upgrade.
Me too :eheh:
Title: Re: Suggestion: HTTPS Login
Post by: Bunstonious on September 24th, 2014, 11:20 PM
Quote from Pandos on September 24th, 2014, 09:54 AM
The best would be to let your site running completely over https. Also Google implement https as a ranking signal for sites.
I do that at the moment, guess I might keep doing it (and just test HTACCESS stuff on my test site).
Title: Re: Suggestion: HTTPS Login
Post by: Nao on September 25th, 2014, 01:30 AM
http://forum.alwaysdata.com/viewtopic.php?id=1091

Looks like alwaysdata isn't interested in sni. Even though lack of browser support would only result in a browser prompt... No biggie.

http://stackoverflow.com/questions/3011222/dealing-with-http-content-in-https-pages

It's doable. I could add a pass through function to wedge as suggested in the accepted answer...

As for redirects, yes it's also doable but not too practical...
Title: Re: Suggestion: HTTPS Login
Post by: Bunstonious on September 25th, 2014, 02:31 AM
Quote from Nao on September 25th, 2014, 01:30 AM
http://forum.alwaysdata.com/viewtopic.php?id=1091

Looks like alwaysdata isn't interested in sni. Even though lack of browser support would only result in a browser prompt... No biggie.
That's pretty lame, but their choice I guess (I would say it's all about the money).
Quote from Nao on September 25th, 2014, 01:30 AM
http://stackoverflow.com/questions/3011222/dealing-with-http-content-in-https-pages

It's doable. I could add a pass through function to wedge as suggested in the accepted answer...

As for redirects, yes it's also doable but not too practical...
The accepted answer, I read as it being downloaded to the server and then served via HTTPS via the server (which seems like a waste of bandwidth and could open up legal issues).

How it is at the moment is ok I guess, it was just a thought as plain text authentication is insecure.