The website I currently created isn't using a ssl cert. If I decide to buy and use a ssl cert for my website do I need to change any code on my website? My website is written in html, php and it has a mysql backend.
Or can I just purchase a new ssl cert and not change any code?
Thanks
The SSL connection is handled by the web server, the code running on top of it has nothing much to do with it. Your code should continue to run as is if the web server is configured sensibly. If you are hardcoding links using http://... somewhere or are otherwise somehow depending on the presence or absence of HTTP/HTTPS in your code, you may need to change these specific parts.
Related
I had built a website as a dashboard (using 000webhost) to change the data in mySQL database via php which was working fine right now. After that, I have a Unity WebGL build uploaded on itch.io which was working fine as well until it need to get data from the database via php. When I was intended to get the data via accessing php files store in the 000webhost server, I got the following error show up in the web console from the accessing website.
Mixed Content: The page at 'https://.itch.io/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://:54998/'. This request has been blocked; this endpoint must be available over WSS
The link I was using to access the php files was using https instead of http. I am still new to these area, I would like to know can I change the WebSocket endpoint to wss instead of ws? Do I need a paid plan to solve this? I did saw that the Single Hosting plan did offer free SSL certificate. Please help me, I am open for any suggestion/advice, Thank You.
The Websocket Server itself need to setup the SSL Certificate. If it doesnt, you need a reverse proxy like nginx or apache to handle the SSL and forwarding to the unencrypted ws:// websocket.
Anyway, the websocket should run on default port 443/80 as well, since many firewalls are blocking non default ports for security reasons. In this case you will need the reverseproxy if you dont have a dedicated IP for the websocket server.
Use socket.io. Most of the problems are solved and there is no need to do more.
var socket = io.connect('https://www...', {secure: true});
Site A uses an SSL certificate from Site B. I want my PHP code to connect to Site A over HTTPS using cURL, and I'd like that to be as secure as possible. (Note: I can't get Site A or B to change their setups).
One way I've gotten this to kind of work is to visit Site A in a browser, save the cert to the server, and point to that cert using CURLOPT_CAINFO (and set CURLOPT_SSL_VERIFYPEER to true). However, in that case I have to set CURLOPT_SSL_VERIFYHOST to 0 (because Site B's name is on the cert).
What I'd prefer to do is somehow tell cURL to allow the connection if and only if Site A is using Site B's cert (with Site B's name on it).
Is there a way to do that with PHP cURL or by changing a server setting? Or, is there some other PHP library that would let me do this as transparently as possible?
ADDED: this may or may not complicate matters, but I'm trying to load https://SomeSmallShoppingSiteIDontControl.com ("Site A"), which uses a cert valid only for SomeMajorShoppingSiteProviderIAlsoDontControl.com ("Site B").
I have just developed a credit-card processing form using Drupal, the form communicates with the Payway API (a payment processing API provided by my bank).
I have purchased an SSL certificate with my host, and I know have an HTTPS server on my hosting account. What do I do to make all my forms run through HTTPS? Sorry I am new to SSL and am completely clueless in this matter.
I've tried copying my drupal site into my httpsdocs folder but it runs extremely slow when I access it through https://
Any help or direct would be much appreciated.
One of the easiest ways to force HTTPS on a web server is through a .htaccess file on the root of your web server. Then you can apply HTTPS only to the folders you need.
If you are using Drupal, there is likely already a .htaccess file on the root of your website that you can edit. Here's a simple guide on what needs to be added to the file:
http://www.besthostratings.com/articles/force-ssl-htaccess.html
I have a program written in PHP, and I'd like to make sure that login pages etc. are all served over SSL. Is there any good start to finish tutorial for doing so?
Also, does this affect my code in any way, or is it just a matter of getting a SSL cert, and setting up a server correctly?
If your html code contains absolute urls ("http://my-domain.com/...") to:
stylesheets
images
javascripts
Browsers will complain "This page contains both secure and non-secure items".
Use relative urls if you can, or link to "https://my-domain.com/..." urls.
Use free certificates
You don't have to spend money to get valid SSL certificate:
Let’s Encrypt
Let’s Encrypt is a free, automated, and open Certificate Authority.
It depends on the hosting how easy this is to setup, it could be just a checkbox.
The process is well documented on https://letsencrypt.org/
StartSSL
For more traditional certificates, you can get a "StartSSL™ Free" from StartCom.
The site also contains information on installing the certificate.
Firstly a word of warning. if you are considering using SSL its because you have something to protect. Therefore take the time to understand what you are doing every step of the way. Security (not just SSL) is a minefield even for the experienced.
I don't know of any tutorials, but there are plenty of gotcha's you have to be aware of.
Rolling your own ssl cert for testing purposes is free, but you will need to install it on your server.
Most of the time your code does not need to be any different for an ssl page or non ssl as the code itself is ssl agnostic, but as Bob says you must be careful of things like images.
Also redirects can cause popups to warn the user of redirections.
To test if the code is being called from a browser using SSL check for the SSL flag $_SERVER['HTTPS'] this should be a non empty value if SSL is being used.
$ssl_is_on = $_SERVER['HTTPS'] ? true:false;
Personally I prefer to keep my SSL code in a separate folder altogether and use apache to direct all SSL connections to that folder. that way I can be confident a script that should be protected by SSL is not called from a non SSL connection.
If you are logging them in under SSL and then redirecting them to non SSL pages you may need to account for domains and cookies
for example I always use a different domain for ssl normally https;//secure.blah.com and then redirect them to the non secure domain http;//www.blah.com so your cookie domain will need to be blah.com the default is the full domain name which means cookies for secure.blah.com won't be sent to www.blah.com and therefore your users will never be logged in.
Don't use this technique if you use a shared domain name otherwise you could have a problem with cookie information being leaked.
DC
It should not affect your code. Add modrewrite rules to your Apache config. Yes, just obtain an SSL cert (you'll need to pay to have it signed by Verisign or another certificate authority).
I was wondering if any of you know if it is possible in javascript or php to test if a client has a specific client certificate installed in the browser.
The thing is that we have a server certificate installed but to be recognized by the clients, they need 2 client certificates that make them recognize the authority of the issuer of our server certificate. We would like to test the browser for these 2 certificates, if there are not there, we want to propose the client to download them before to enter in https mode...
Anybody can help? Please detail your answer if you know one.
You can do it client side by using javascript to request a known file from a secured (https) source. if the request fails then it means the client refused to accept your certificate (or another network error) at this point you could popup a message to ask the user to install the root certificate with a link to the root certificate.
This must be done from a non secure page. otherwise the user may refuse your certificate and never load the page to start with and therefore your javascript never runs
It can't be done in PHP because php (which is server side) cannot determine whether the client browser has a particular root ca installed
I however would not do this. get a proper certificate instead.
You appear to have insufficient understanding of how SSL works in general. I suggest spending some time understanding how SSL works and how certificates are used.
DC
to learn about sending and receiving http responses with javascript read this page..
http://www.w3schools.com/XML/xml_http.asp
It can be used to send and receive any text data, not just xml. It is real easy to implement but you must be aware of browser version issues.
DC
what about a warning message that will be hidden by a javascript which will be loaded from your https site.
in the warning message you can link the windows update site or wherever the updated root certifcates can be downloaded to their browser.
PHP is a server side language. If you really want to test this then you need to do it with JavaScript and then send back an AJAX request to PHP.
But I think there is another solution to your problem. Normally when a CA change their name etc. they have usually new "Intermediate Certificates" you can use. (If you have an apache httpd server then you can search for "ca bundle" on their website as well.) With this bundle you can send the new CA certificate along with your certificate.
Forcing your users to download and install a homegrown CA certificate is ugly and hateful. Instead, show them the love and pay the $30 US to get an SSL certificate signed by a reputable, already trusted, CA.