Community Expert

Question

Secure connection, what to do?

Forum|Forum|8 years ago
June 25, 2017
3 replies
3791 views

My client sees the following warning when he logs into a website created by me. The site allows proprietary information to be viewed/used, but does not pose a threat if an unauthorised person gains access.

Info held in a database includes name, address, location, phone and email. According to the Privacy Act, this info may not be divulged.

Should the client invest in an SSL certificate? If so, which level? Any recommendations?

This topic has been closed for replies.

Teodor K

Participating Frequently

The problem with this is not the site security, but that the information sent from site to the server is not encrypted.

So imagine the following situation:

You are sitting in a cafe/airport/bar with free WiFi network. You are entering your login credentials / CC info etc. in a form on a non-https site. Every teenager with a little knowledge and interest in networking with a Linux distribution installed on his laptop could easily sniff all of the traffic in the network, which of course will result in stolen login details ... (don't tell me this could not happen, as these things happen more often than you think)

I've done that just to demonstrate people how easy it is to steal their login data in open WiFi networks, when they do not pay attention to where and what they are entering.

That's why i always use VPN, which server i run in my home network and connect to it every time i connect to a free WiFi hotspot....

---DMXzone | Wappler

O

osgood_

Brainiac

Unfortunately redirecting to https:// from just the standard http:// in your case will only result in a page with a message 'Your page is not secure' I would ask your host how they have the server set up because when I do that to any site I have produced I get a 'secure' connection but its obviously not an option set up as default by your hosting provider.

O

osgood_

Brainiac

This gets even more insane now I have had a better chance to check the majority of the websites I manage. Some seem to have a SSL certificate associated with them, which until now I didnt know about, so I have no idea how they got those certificates unless they came as part of the hosting package by default............hummm.

If I use https to access the pages parts of them are designated as unsecure, I guess those links not using the https:// protocol....its all a bit of a mish mash to me when it comes to using a secure connection.

Seems to me as though it would be a good idea for hosts to ONLY offer secure hosting to avoid the obvious confusion it creates.

O

osgood_

Brainiac

pziecina wrote
@Osgood
Found out possibly why Ben is seeing a warning in his log-in form, and you are not.
Chrome from v56, (have not checked other browsers) implemented a not secure warning in the actual form fields for, password and credit card info, the following article adds more info -
https://www.searchenginejournal.com/google-is-requiring-https-for-secure-data-in-chrome/18 3756/

I think it is was because I don't use input field type="password" as it IS the client who is inputing the 'sensitive' information in all of my websites and would like to be able to 'see' what they are typing in rather than just a series of bullets, which if the password is quite complex, can be rather annoying - even a lot of high profile companies have the option of 'revealing' the password as you are typing it in these days. Whether that is secure or not I don't know. Obviously if you are sitting in a public place like a cafe or library it might be a cause for concern but if you're sitting in your own office?

Also you can deploy mask password field using javascript or jquery. I dont know if the rather concening message about the site not being secure goes away then, I'm investigating.

It's as I thought. IF you use a password masking technique (replacing text with dots as you type) you can easily avoid 'This connection is not secure' message popping up when someone clicks into a password form field. You just dont use the 'password' type, use 'text' type and replace whatever is typed into the 'text' type field with a series of dots as you type so your password is concealed, if thats a concern.

OK it still means the website connection is not secure but it's less alarming for clients and all they will see is the tiny little 'i' icon in the url bar which they wont even notice.

Just another puzzling attempt by browsers. Cant quite get my head around this one if its so easy to avoid. If they are that concerned which they seem to be why not just open up a large modal window alerting one to the fact that the connection is unsecure rather than trying to hide the fact under an almost 'invisible' icon which is part of the url........mind boggles.

pziecina

Brainiac

The message is indicating only that the connection between the server(s) and the users computer is not secure, which is all the use of ssl and https does. It has nothing to do with the actual security of the site itself, but only gives a sort of secure connection.

An ssl certificate from a reputable signed company is relatively cheap now, but remenber you will have to change any links and place all resources inside the secure folder. It may also be worth using http2 as this allows extra security, but its use will depend on no old browsers being used.

The real security starts with the database and the site itself, as the database must be behind a secure firewall, and if possible not within the same structure as the site itself. I don't know about php's security coding, but if it has similar to C# then it often becomes a question of just how secure you wish to make it.

Once you move into legal responsibilities to keep data secure, the term, 'all resonable precations taken' is a minefield, and i have seen experianced programmers cry when their 'secure' code was hacked in a couple of minutes by a friendly hacker, whos job it is to check just how secure something is.

BenPleysierAuthor

Community Expert

Thank you for your reply.

I have no problem with site (including DB) security; 'all reasonable precautions taken' does apply.

My problem is based on the following remarks:

information sent over the net, including username and password, can be intercepted.
with the exception of Admin logins, unauthorised access is not a dealbreaker because the info is not a security issue.
Admins have access to all DB content.
User login details may be used on a variety of websites; users rarely change their details internet wide.

Does this mean that site traffic should be encrypted?

Wappler is the DMXzone-made Dreamweaver replacement and includes the best of their powerful extensions, as well as much more!

pziecina

Brainiac

For the first item, information being intercepted over the internet, this is the real reason for ssl/https. Such interceptions though are rare, as they require direct hacking of the servers involved or slicing into the network. It's worth remembering though, that https will give the site a higher search engine ranking if the entire site is placed within the secure folder. So there could be a positive involved with the cost of doing sites using https by default.

The only item I would recommend regarding the info, is to encrypt the email address on the database, as this is generaly regarded as sensitive info. I don't know about Australia, but in Europe the loss of such data would certainly incur a fine if stolen from the database. The rest of the user data would depend on the 'all reasonable precautions taken', being proven by yourself and the site owner, for which the use of ssl will certainly be an advantage.

One other item to remember is not to do a wordpress for the log-in page, i don't know if they still do it, but if one had the log-in info wrong, it would tell the user which one was incorrect, which is a definite do not do. An hacker in such circumstances would then know which item was correct, and could then concentrate on the incorrect item. Always use a general message that says the info is incorrect.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded