Secured https

**waherne** · 09-21-2003, 06:09 AM

Hi all,

How does one go about securing their website using Jaguar's shared certificate - is there any simple guide?

Also, will visitors to my site get any warning messages when browsing secured pages or when logging in to the site?

Willie

**jason** · 09-21-2003, 04:25 PM

All you need to do is find your secure url on the network status page. It will be something like hostXX.nocdirect.com or hostXX.u-build-it.net. You need to use that as the base for anypages you want to be secure. The actual URL you'd use is

http://hostXX.nocdirect.com/~USER/page.html or
http://hostXX.u-build-it.net/~USER/page.html

(replace the XX with the number on the network status page and USER with your username)

You users won't get any kind of error or warning when doing this, but your URL will of course change to something that isn't yours which can make some users a little suspicious aboput submitting info.

Another free option is to have support install a self-signed certificate for your site. In this case you'll get a certificate for any domain name yoou want (www.yourdomain.com, secure.yourdomain.com, etc), but you will get a browser warning when you load a page or submit info to that URL. Self signed certificates are mainly useful when you are setting up your site and want to test your secure links before you purchase a third-party certificate.

Of course, the third option is to just buy a third-party certificate and have support install it. I think JPC can even sell on Comodo cert starting at about $50/yr.

--Jason

**waherne** · 09-22-2003, 01:58 AM

Thanks Jason,

Would you or anyone else be able to see such a secured site in operation?

Willie

**jason** · 09-22-2003, 05:37 AM

I'm not sure what you're asking. Are you refering to a site with a self-signed certificate? If so, you can see my site at https://www.interbrite.com. I had a self-signed certificate installed last year so that I could do some testing with of some stuff that I wanted to secure while using my domain name instead of the shared one. Of course I never got around to developing it...

With the self signed certificate anything transmitted between you and the server gets the same 128-bit encryption that a third-party cert or the shared cert will give you. The reason for the warning is because the certificate is not issued by a trusted source. When a third-party certificate authority issues a cert, they are verifying that they are giving it to a legitimate entity, enabling the site's user to feel confident that they are submitting thier info to whomever they expect to be. When you issue yourself a certificate, as is the case with a self-signed cert, you can say you are anyone you want to be, therefore the end user can't trust the authentity of the certificate.

--Jason

**waherne** · 09-22-2003, 06:49 AM

Thanks Jason, it's good to see the self signed cert in operation.

Would anyone here be able to show me the first hostxx shared cert option in use?

Also, do these certs secure data held in emails generated by PHP - say to send out passwords to a user where the password is lost?

Willie

**jason** · 09-22-2003, 11:47 AM

To see my site in action using the hotXX method, to to https://secure17.u-build-it.net/~interbri. There is nothing special to do to get this working, its a default thing on your account.

These certificates only protect data sent between the server and a user's browser. They don't secure email. It is possible to create GnuPG keys in CPanel which can be used in securing email. GnuPG is the open source variation of PGP. MEssages that are GnuPG encrypted need to be decrypted when they reach the recipient. To use them requires the user to have GnuPG configured on his computer and make his public key available to you. Unfortunately, in email there is no "passive" security option as there is when you use HTTPS, because the web and email protocols are implemented differently.

--Jason

**runaway2** · 09-27-2003, 09:08 AM

What about using SSL for accessing pop?

**jason** · 09-27-2003, 11:56 AM

Originally posted by runaway2
What about using SSL for accessing pop?

I'm not sure that it is supported. Has anyone tried this?

--Jason

Ron · 05-28-2004, 11:03 AM

Originally posted by jason
I'm not sure what you're asking. Are you refering to a site with a self-signed certificate? If so, you can see my site at https://www.interbrite.com. I had a self-signed certificate installed last year so that I could do some testing with of some stuff that I wanted to secure while using my domain name instead of the shared one. Of course I never got around to developing it...

I get that same warning every time I go into my CPANEL through port 2083.... is this expected behavior? Or should I say... does everyone else get that if they use https://www.domain.com:2083

Thanks

**Connie** · 05-28-2004, 11:17 AM

Originally posted by Ron

I get that same warning every time I go into my CPANEL through port 2083.... is this expected behavior? Or should I say... does everyone else get that if they use https://www.domain.com:2083

Thanks

I Think that is normal. I get for all my sites. I think the reason is that the SSL for the servier is not your domain name.

Ron · 05-28-2004, 11:33 AM

Good point... it may not be the non-trusted warning that I get, it may be the non-domain match...

**jason** · 05-28-2004, 11:57 AM

You're seeing at warning when you access CPanel over SSL because the certificate that is being used isn't signed by a trusted Certificate Authority. The transmission will still be encrypted, but the legitamacy of the site can't be authenticated by the browser. Rremeber, certificates server two purposed: 1) to protect data and 2) to ensure the end user that they are really sending information to the party they think they are (as opposed to someone running a phishing scheme or whatnot). Unless the browser sees that a CA that it knows is trustable issued the certificate it displays that warning so you'll be vigilant before sending confidential information.

--Jason

**Spathiphyllum** · 05-28-2004, 11:59 AM

When you use SSL, two warnings typically appear by default. One is a browser setting that you can toggle on and off that warns you that you are changing from HTTP to HTTPS protocols. The next warning is the certificate offer by the SSL secured site. You may or may not see this warning depending on whether or not you have accepted and installed this certificate at a previous time and the certificate has not expired. All certificates have an expiration date. Jags seemed to need renewing monthly but 1yr is more typical. If the webserver name is changed but a new certificate is not installed with that modofication, then the certificate will no longer be valid and you will get a warning. Same thing with an expired date. To find out more than you want to know, download and play with GnuPGP. You can create, install, modify, etc. your own signed certificates.

**Eric Pauker** · 05-28-2004, 12:16 PM

Originally posted by jason
All you need to do is find your secure url ...

http://hostXX.nocdirect.com/~USER/page.html or
http://hostXX.u-build-it.net/~USER/page.html

...You users won't get any kind of error or warning when doing this, but your URL will of course change to something that isn't yours which can make some users a little suspicious aboput submitting info.
...
--Jason

Every computer I have ever tried that on gives me a warning that the certificate was issued by a company that I have not chosen to trust. They have all been using either Internet Explorer 6 SP1 or Mozilla (don't know the version).

**Spathiphyllum** · 05-28-2004, 12:34 PM

Well, if you really want to disable these warnings, though I wouldn't recommend it since it is for your own good, you can tweak by performing the following:

Mozilla || Edit->Preferences->Privacy/Security->Certificates
IE || Tools->InternetOptions->Advanced->Security(last option in hierarchy with several toggle switches)

LinkBack

Thread Tools

Display

Secured https

Bookmarks

Bookmarks

Posting Permissions