Page 1 of 1

SSL Startup

Posted: Thu Jun 28, 2007 1:18 pm
by icesolid
When it comes to site security I must admit, I am not the best at it. I currently just make use of sessions with md5 encrypted passwords to log users in and out of my web site and to secure my web site.

I was thinking about getting into SSL encryption but not quite sure how to go about getting started with SSL and PHP.

I have read through verisign.com's information packets and pricing and things like that, but that much I understand. I am more looking for some examples or processes of using SSL in PHP. I have modssl installed on my server so I figure I am ready to go.

Do I need just one certificate to protect my site? How does this affect each one of my pages? How does this effect my login process? How I just install this thing, in the directories I want are protected?

Tips/Suggestions, some verification example code would be excellent.

Posted: Thu Jun 28, 2007 3:24 pm
by feyd
It only affects how your pages are processed by requesting clients (and the security level they communicate to the user) it doesn't really alter the security of your server much beyond the traffic being encrypted. Honestly, that's only a small part of security. The major stuff works whether you're running SSL or not.

Posted: Thu Jun 28, 2007 3:46 pm
by icesolid
So using PHP sessions and encrypting passwords is a good security practice. SSL just helps encrypt the transfer of the data?

Posted: Thu Jun 28, 2007 3:52 pm
by feyd
That's all SSL is for. It doesn't secure your pages. It simply secures the information transmissions between locations. Your scripts are still as vulnerable to attack as ever.

Posted: Thu Jun 28, 2007 3:55 pm
by icesolid
That's good to know. Maybe I won’t spend the ridiculous amount of money it costs to have an SSL certificate through VeriSign then (I know of other cheap SSL certificates but just not sure if I should trust them (ex: GeoTrust)).

Well thanks for the advice again feyd.