how secure is yahoo ssl?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

how secure is yahoo ssl?

Post by iknowu99 »

i'm developing a security system and would like to know, for the yahoo small business service i signed up for, what would be more secure the ssl yahoo provides or the htaccess suggested by others on this board?

goal is to have one directory that is protected by one username and password.
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: how secure is yahoo ssl?

Post by andyhoneycutt »

SSL and .htaccess are two very different concepts. A .htaccess file can provide username/password protection to a directory or directories, SSL is for ensuring the safe transmission of data between two parties by way of encryption. So, to answer your question in short I would suggest you go with .htaccess for username/password protection on a directory.

-Andy
User avatar
pcoder
Forum Contributor
Posts: 230
Joined: Fri Nov 03, 2006 5:19 am

Re: how secure is yahoo ssl?

Post by pcoder »

To fulfill your goal why do you need SSL?
You do not need to go throught the SSL.
As andyhoneycutt said, go through the .htaccess you will get your solution.
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: how secure is yahoo ssl?

Post by iknowu99 »

with .htaccess I dont get one thing, what do i actually put in the index page?

It seems like a meticulous process where a slight mistake will allow for intrusion....
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: how secure is yahoo ssl?

Post by andyhoneycutt »

the .htaccess file should reside in or above the directory you wish to protect. Apache looks for .htaccess whenever it tries to access a directory. It's a fairly straight-forward process and while nothing is guaranteed to protect you 100% of the time, it's better than nothing especially if it is your only option. I've used .htaccess and not had any (successful) attacks on my projects.

Here is an online tool you can use to build your .htaccess and corresponding .htpasswd file(s).

-Andy
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: how secure is yahoo ssl?

Post by iknowu99 »

Andy,

I'm still not getting the part where I ask users for the password. I do plan on distributing the password - and this will be the members area. I created the .htaccess and .htpasswrd files and placed them in http://www.mysite.com/protect_this/
so everything i place in "protect_this" directory will be password protected from what i understand. how about the index.html file that's in http://www.mysite.com? how do i edit the index.html file so it gives members access to the http://www.mysite.com/protect_this/protected.html file (which is members area/password protected)?
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: how secure is yahoo ssl?

Post by andyhoneycutt »

I would put the .htaccess and .htpasswd files in the directory you wish to protect and have your portal page above that directory linking them to the member area, or redirecting them to the member area. The user's web browser should prompt them for the username and password when they try to access the access-protected directory.

-Andy
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: how secure is yahoo ssl?

Post by iknowu99 »

I hear you, I don't get the "user's web browser should prompt them for the username and password" part. Is this html code? maybe forums involved, i'm still learning the basics....

also if the password is encrypted in .htpasswrd file, it will be fine if user writes the normal password? i heard this md5 program is good one....
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: how secure is yahoo ssl?

Post by andyhoneycutt »

All .htaccess does is request credentials from the end user. What this means, and how it works, is that Apache (the web server providing service to your users) tells the end user that they must supply credentials. It's a commonly accepted engagement and all modern web browsers support it naturally. You have nothing more to do as the developer than supply the proper .htaccess and .htpasswd files in the proper way and your designated path will be password protected.

md5 is a very good algorithm for one-way encryption. I'm by no means an encryption expert, or Apache-admin, so if you need much more information than this you might wish to look at some documentation on Apache's website.
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: how secure is yahoo ssl?

Post by iknowu99 »

"Yahoo! does not currently allow you to upload .htaccess files to your account."

boooooooooo!
Post Reply