Jump to content

Archived

This topic is now archived and is closed to further replies.

Supertex

https vs htaccess (htpasswd protect)

Recommended Posts

I just noticed, while working with Stamps.com, that my admin is non-SSL.  I am, however, using the HTPASSWD protection for the admin directory.  Since the directory credentials and the site login credentials are the same, is it pointless to try to use SSL on the admin store login (assuming no encryption on the directory)?  Or is it feasible to have the htpasswd encrypted as well? 

 

I see addons / instructions to apply ssl to the admin login, but does that force the directory login to be encrypted also?

 

I'm really in the dark about this.  Can someone explain this for me?

Share this post


Link to post
Share on other sites

The admin should use ssl. The .htaccess passwords is not encrypted without it but even with it, you need to force ssl or access may still be vulnerable. See this thread on how to do that.

Share this post


Link to post
Share on other sites

Thanks Jack.  I've made all the http entries into https in the config.  Just so I'm clear, this will force the authentication of the htaccess login to the admin folder to be encrypted, as well as the actual site admin login?

Share this post


Link to post
Share on other sites

The encryption is handled by the ssl certificate. But if you don't force ssl to be used, it is possible to connect using http (non-ssl). If the admin configure file is setup to use https, then it redirects and a second login is requested. But by then you would have already transmitted the non-encrypted password. If you have it properly protected, if you try to use http in the url, it should display a forbidden page.

Share this post


Link to post
Share on other sites

Password access control requires a visitor to enter an ID and password to gain access. SSL encrypts traffic between the browser and the server so as to make it difficult (for non-NSA, non-CIA types) to read the traffic. Both are part of the security solution: ID/password to control who gets in to use further admin functions, and SSL so no one can spy on you (including the ID and password). Neither is terribly secure by itself: without SSL, the ID and password can be seen (but otherwise no one can get in); without password access control, anyone can get into the admin side and use it to call up pages (no lock on the door), but no one in the network can spy on you. The osC ID and password add a little more security.

Share this post


Link to post
Share on other sites

×