I know there where other post about SSL. But I have some of my own questions about it.
So far I know that SSL only secures the data transmitted from server to client and visa versa. What I don't understand about that though is: what's the purpose of having encrypted data like that; do I need this; do credit card companies require this?
Also I've come to find that I need all pages to be using the https protocol and if an image or script, that is included in that page, to have that protocol as well.
This is a bit compelling as I don't know how do go through my whole site, change all the links, images, (et cetera) without pulling some hair.
Also what's the point of having this when a client can manually browse to my site with the http protocol? For example, they say "Hay lets go to such and such web site.", They click on their address bar in their browser and start typing in the full address "http://www.suchandsuch.com" instead of just typing in "www.suchandsuch.com" or "suchandsuch.com" and letting the browser do the rest of the work... But wait, even then the browser would, probably, assume the protocol to be http.
So this results to another question of mine: How do i make sure my server only sends data though this secure protocol (https)?
Thanks for barring with me on this post. I'd so much appreciate any help at this moment...
SSL
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: SSL
If you are sending sensitive data (personal information, account information, credit information, etc) and you don't want anyone monitoring your packets to be able to view this data plaintext then SSL becomes important.JellyFish wrote:So far I know that SSL only secures the data transmitted from server to client and visa versa. What I don't understand about that though is: what's the purpose of having encrypted data like that; do I need this; do credit card companies require this?
Generally you will use relative links, however in more complex sytems I would have the url created automatically for me in my views.Also I've come to find that I need all pages to be using the https protocol and if an image or script, that is included in that page, to have that protocol as well.
If the user wants to go out of their way to transmit data unencrypted then that is their problem..Also what's the point of having this when a client can manually browse to my site with the http protocol? For example, they say "Hay lets go to such and such web site.", They click on their address bar in their browser and start typing in the full address "http://www.suchandsuch.com" instead of just typing in "www.suchandsuch.com" or "suchandsuch.com" and letting the browser do the rest of the work... But wait, even then the browser would, probably, assume the protocol to be http.
You can use the $_SERVER['HTTPS'] predefined variable to determine whether the page was accessed with SSL or not, if not use header() to send them back to the encrypted page.So this results to another question of mine: How do i make sure my server only sends data though this secure protocol (https)?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
don't know how correct this is but this should work:
Code: Select all
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}Reply
Hi guys,
I would like to post just a few notes on that topic.
It happened to me to secure an application which was not supposed to run on a Server with SSL support and it took me a lot of time and effort to encrypt all forms input and then decrypt it so if you have the opportunity to use SSL do it.
Note:Be careful about using SSL because it cosumes more CPU than http and if you have a page with some news you should not use SSL(Use it only when a user sends any personal data to the server.).
I would like to post just a few notes on that topic.
SSL is used by many systems that need to secure information(not only credit card companies but some E-mails like yahoo etc.). It is essential to secure your information on the Web and if it contains any user credentials it is a must.JellyFish wrote:
So far I know that SSL only secures the data transmitted from server to client and visa versa. What I don't understand about that though is: what's the purpose of having encrypted data like that; do I need this; do credit card companies require this?
If you are sending sensitive data (personal information, account information, credit information, etc) and you don't want anyone monitoring your packets to be able to view this data plaintext then SSL becomes important.
Quote:
Also I've come to find that I need all pages to be using the https protocol and if an image or script, that is included in that page, to have that protocol as well.
Generally you will use relative links, however in more complex sytems I would have the url created automatically for me in my views.
Quote:
Also what's the point of having this when a client can manually browse to my site with the http protocol? For example, they say "Hay lets go to such and such web site.", They click on their address bar in their browser and start typing in the full address "http://www.suchandsuch.com" instead of just typing in "www.suchandsuch.com" or "suchandsuch.com" and letting the browser do the rest of the work... But wait, even then the browser would, probably, assume the protocol to be http.
If the user wants to go out of their way to transmit data unencrypted then that is their problem..
Quote:
So this results to another question of mine: How do i make sure my server only sends data though this secure protocol (https)?
You can use the $_SERVER['HTTPS'] predefined variable to determine whether the page was accessed with SSL or not, if not use header() to send them back to the encrypted page.
It happened to me to secure an application which was not supposed to run on a Server with SSL support and it took me a lot of time and effort to encrypt all forms input and then decrypt it so if you have the opportunity to use SSL do it.
Note:Be careful about using SSL because it cosumes more CPU than http and if you have a page with some news you should not use SSL(Use it only when a user sends any personal data to the server.).