SSL Startup

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

SSL Startup

Post by icesolid »

When it comes to site security I must admit, I am not the best at it. I currently just make use of sessions with md5 encrypted passwords to log users in and out of my web site and to secure my web site.

I was thinking about getting into SSL encryption but not quite sure how to go about getting started with SSL and PHP.

I have read through verisign.com's information packets and pricing and things like that, but that much I understand. I am more looking for some examples or processes of using SSL in PHP. I have modssl installed on my server so I figure I am ready to go.

Do I need just one certificate to protect my site? How does this affect each one of my pages? How does this effect my login process? How I just install this thing, in the directories I want are protected?

Tips/Suggestions, some verification example code would be excellent.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It only affects how your pages are processed by requesting clients (and the security level they communicate to the user) it doesn't really alter the security of your server much beyond the traffic being encrypted. Honestly, that's only a small part of security. The major stuff works whether you're running SSL or not.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

So using PHP sessions and encrypting passwords is a good security practice. SSL just helps encrypt the transfer of the data?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That's all SSL is for. It doesn't secure your pages. It simply secures the information transmissions between locations. Your scripts are still as vulnerable to attack as ever.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

That's good to know. Maybe I won’t spend the ridiculous amount of money it costs to have an SSL certificate through VeriSign then (I know of other cheap SSL certificates but just not sure if I should trust them (ex: GeoTrust)).

Well thanks for the advice again feyd.
Post Reply