Ask MetaFilter questions tagged with ssl

iPhone RSS reader that supports SSL and authentication?

aberrant — Sun, 30 Aug 2009 15:33:06 -0800

Anyone know of an RSS reader for iPhone that supports SSL and authentication, and does NOT use an online aggregator? I need an iPhone RSS reader that will handle SSL and authenticated feeds, but it can't use an aggregator (the feed credentials must stay on the iPhone). I've been searching for a while and haven't come up with anything. Anyone come across such an application?

SSH through the AS12880 / DCI Iranian government-run firewall?

thewalrus — Mon, 22 Jun 2009 20:54:42 -0800

Iranian firewallfilter: How to make SSH traffic not resemble SSH traffic, when examined by a deep packet inspection device (Ellacoya, Narus, etc)? Other advice on specific types of VPN from within Iran also welcome. I've been following the news about Iranian Internet censorship for a few years now, but obviously started paying more attention in the last couple of weeks. There's two interesting papers examining AS12880 (DCI)'s Internet transit from Arbor Networks:

Iranian Traffic Engineering

Deeper Look at the Iranian Firewall

Misc:

Robtex page examining AS12880's uplinks to the world

Rense page, strange changes in Iranian Internet transit

What I'm wondering specifically is methods which can be taken to make SSH traffic look -less- like SSH traffic. Assume that a person inside Iran has root on a European-colocated FreeBSD or Linux system (or root on a VPS/Virtual Machine) running the latest OpenSSH. The sshd would of course be listening for incoming connections on a nonstandard port, it could be any port, or multiple different ports. If I remember right OpenSSH now defaults to SSH2/AES but can also use Blowfish. Are there any methods that can be used to disguise the initial SSH handshake and packet headers? Any special tricks from the client software end, assuming that the client (OSX or Linux) can run any ssh client that will compile on it?

Is VPN traffic (Cisco, or Juniper-Netscreen SSL-VPN) less likely to trigger flags or get blocked than SSH?

Does anyone have firsthand or secondhand experience of Windows Remote Desktop / RDP 5.1 being blocked from within Iran?

SSL Client Certificates

banshee — Fri, 15 May 2009 08:45:51 -0800

Please help a noob with client-side SSL certificates. What is the process for generating SSL client certs? What kind of information is needed? Who generates them? I have a web server SSL cert installed (IIS), when users try to connect they are prompted to choose their client certificate from a list. (This is the behavior I want). The web server SSL certificate was issued by Entrust.net

SSL and compromised networks?

Busoni — Sun, 22 Mar 2009 14:01:55 -0800

Does SSL protect information even if the wi-fi connection is unsecured? Say a person is using an available wi-fi network, the source of which he doesn't know. It could be a generous neighbor, or a honeypot. If the person checks his email and his bank accounts, does it matter that the URLs begin with https://?

If the ethics of this question are problematic, consider the hypothetical case of "duplicated" public wi-fi hotspots, in which a hacker creates a network with a duplicate SSID.

Could the new google analytics be causing my SSL to be insecure?

TrueVox — Mon, 16 Mar 2009 04:01:06 -0800

Anyone familiar with making SSL work with Google Analytics and Drupal? I'm currently working on a website for work. I have my SSL cert installed, but when I try to connect securely, it keeps complaining that a part of the site is insecure. I finally think I've narrowed it down to the Google Analytics code we're using (it's the new, supposedly self switching code, not the old manual code). Is it possible that it's causing trouble because I have it in the "footer" section of my Drupal UI? If so, how else do I install it? Or am I WAY off base, and it's actually an issue some where else?

The site, for reference, is www.mailritevt.com.

Thank you in advance!

EV (Extended Validation) SSL vs Standard SSL Certificates

jakubsnm — Sun, 08 Mar 2009 20:53:44 -0800

EV (Extended Validation) SSL vs Standard SSL Certificates I would like to get an SSL certificate for my site to display and promote turst. I'm leaning towards an EV SSL even though they cost more expecially if I were to go with Verisign ($885/annum), I've done a little research and have found Digicert ($488/annum) to be much cheaper, technically they do exactly the same thing. What do you look for in an SSL? would a Digicert EV SSL satisfy you? Do you look for the SSL logo at the bottom of most sites when you plan on sending personal information?

Data And Money Exchange

kaizen — Thu, 15 Jan 2009 10:38:40 -0800

I need my customers to send me confidential data with a payment. I work for a regulatory agency that currently collects applications in paper based form with a physical signature including a check for payment. We would like to implement a industrial strength 'e-filing' solution. Where do I start? My Google-Fu and Delicious-Fu are failing me. I need to find information on 2009 best practices for capturing data ( e-forms, rest, edi ), identity management, security ( digital certs, etc ), and payment gateways ( direct debit, credit cards ). I also need to know what vendors are leading in these spaces. I am not really looking for a 'e-commerce' solution. I am looking for a 'secure electronic forms submission with payments and non-repudiation' solution. My company would need to host this in our data center. I would like to offer my customers multiple ways to submit and pay.

How to get an Iphone or G1 to work with my work

alkupe — Thu, 18 Dec 2008 09:13:55 -0800

I want to know what phone I should get to be able to use vpns and ssh to linux machines I'd be interested in using my phone to connect to my work vpns, then connect to some machines with an ssh client. I can't really figure out if either the iphone or the g1 can do this. One vpn is normal windows PPTP VPN to work network. The other appears to be the Firepass SSL VPN, where I go to some web page and login, then it opens a network connection on my PC. I don't know much about how this stuff works, but I'm happy to try to figure out any technical details.

How do I return an SSL URL from a non-SSL Apache?

vacapinta — Tue, 07 Oct 2008 04:28:33 -0800

Help Apache gurus! How do I setup a virtual host when SSL terminates before my Apache server? Hopefully this is easy since it seems like a common thing...

Here's the setup: Browser -> Load balancer -> Apache Server
The browser connects to the load balancer using https (https://www.example.com). But then the load balancer directs the request to Apache using http (http://host1.company.com). Fine.

Now, how do I use the virtual host directive to have Apache return an https url to the browser? If i just have:

<VirtualHost *:80>
ServerName www.example.com
</VirtualHost>

in httpd.conf then URLs are returned to the client as http URLs which doesnt work. Is this possible? Thanks!

Quoth the server, 404.

utsutsu — Fri, 01 Aug 2008 07:37:22 -0800

Apache and Tomcat strangeness... a page in my app throws a 404... but only when using SSL on a single server. I am having a very strange problem with one of my applications.

The skinny:

- The app is a Java JSP servlet web app running on a proprietary framework and tag library. It's something like a primitive and wonky version of Struts.

- The problem is that going to a certain page in the app gets a 404 but... ONLY on the test server and ONLY when SSL is used.

- It works fine on my machine locally, on another windows machine running tomcat, on our staging server which is solaris (just like the test box), and on the test box if I go to the HTTP address instead of HTTPS.

- Tomcat's catalina log give nothing strange.

- Apache's error log gives entries like the following:

[Thu Jul 31 10:37:53 2008] [error] [client 10.140.225.162] File does not exist: /usr/local/jakarta-tomcat-4.1.30/webapps/myapp/services, referer: https://mytestserver.ca/myapp/services/services.jsp?selServices=MyServices_f2

response when trying from Firefox:

Not Found

The requested URL /sao/services/changeRequestType was not found on this server.

Apache/2.0.49 (Unix) mod_jk/1.2.5 mod_ssl/2.0.49 OpenSSL/0.9.7d PHP/5.0.4 Server at mytestserver.ca Port 443

It looks to me like it is trying to find a /myapp/services/ folder? This folder of course does not exist. That URL ( /services/*) is mapped in my web.xml and has worked fine until now.

I do not have direct access to the servers in question, as I am only the developer. My knowledge of apache and tomcat configuration is very limited.

To my mind, the key question is why does it work on port 80, but not 443? Surely this must be a server config issue?

Any assistance is greatly appreciated and will save me from wasting more time spinning my wheels on this. I have googled to the best of my fu and have turned up nothing.

Help me find a sooper sekrit blog!

perrce — Wed, 23 Jul 2008 07:02:11 -0800

I need a private, secure blog that will store my posts in an encrypted form. Does one exist? I'm working with a distant team on a project, and I need a secure private blog to facilitate collaboration. The requirements for the blog are that it support user accounts, multiple authors, require logins by SSL (https:// vs. http://) (this could be enforced via plugin), store blog posts in an encrypted form, and of course I'd like the encryption/decryption to be seamless for my users. Up to this point we've been using the service at WideBlog, but it's not very flexible, and it's been a little flaky recently. We'd also prefer to have the blog on our own hosting to remove a layer of trust.

In my hunting around, I haven't had much luck. The biggest sticking point seems to be the requirement that posts be stored in an encrypted form. I've found some solutions that will "encrypt" passwords with MD5. But I want to encrypt more than just passwords, and the use of MD5 is itself a little questionable. I'm looking for something more along the lines of AES.

Does what I want exist?

STFU Firefox

DJWeezy — Thu, 17 Jul 2008 22:17:53 -0800

How do I tell firefox3 to stop checking ssl certs. I access many sites using self signed ssl certificates and up until now that was fine but now I have encounter two self signed certs that have the same serial number and firefox wont even let me add an exception. I cant even access the second site. How do i just tell firefox I don't care if a site is using a bad ssl cert.

Can I call an API on an ssl-encrypted page?

subpixel — Mon, 07 Jul 2008 18:20:36 -0800

Can an ssl-encrypted page call data from another site/domain via an API without compromising its encryption? I want to add a cool feature, but I don't want customers to encounter a warning that the page asking for their credit card info "contains both secure and non-secure items."

Am I being overly zealous about "proper SSL implementation?"

aydeejones — Mon, 30 Jun 2008 08:49:43 -0800

Am I being overly zealous about "proper SSL implementation?" We've been working with this new collections agency for a few months now. From the very beginning, I noticed that their PHP-driven website was not secured with SSL so I refused to use it and would instead manually encrypt data (256-bit AES) and submit it to them via email. My security concerns caused me to question the entire outfit, but I was informed about how reputable the company is, and how much better they would be than our current agency, etc.

They have a "Place Accounts" page on their website where you are expected to fill out a full-blown help-us-skip-trace form (including social security numbers) which was not secured. You also have the option of uploading CSV files. In either event, the page was not secured.

I asked them to implement SSL (and secure FTP, if possible). A month later, you go to their "Place Accounts" page and are told by IE "this page contains secure and non secure items..." The page itself was an https resource, but the "action" property of the form redirected to a non-secure URL, meaning that when you filled out the form (or uploaded the file) the transaction was not encrypted (correct?).

So I complained about this, and they changed the "action" property of the form to redirect to a secure resource, but then changed the way they link to the "Place Accounts" page, so that their "Place Accounts" page was once again a standard http resource, eliminating the "secure and non-secure items" warning from IE but giving the user no visual cue (no padlock icon, or https) that the site is secure.

I complained again; a month later we're back to an https "Place Accounts" page, the "action" property of the form is secure, but the page still contains "secure and non-secure items," which causes a warning, does not present a padlock icon, and therefore requires a careful user to scrutinize the source to truly know that the page is "secure enough." Sure, it's probably usable at this point, but this is sort of like dealing with terms and conditions that can change at any time; if I can't just glance and see a padlock, how do I know, each and every time I use the page, that it hasn't been tweaked and broken again?

At this point I feel I should inform them that their web administrator / developer is incompetent. Am I being overzealous? How should I approach this? I've been working with their IT manager who I'd expect should be able to communicate with the web team, but do I need to grab the bull by the horns and talk to these guys directly? Should it really be this complicated? Why not just secure the entire site and use SSL everywhere to eliminate all doubt?

I've explained what I'm looking for many times (the entire "Place Accounts" page should be secured in order to present the padlock icon and no warnings) and it seems they take an entire month to make a change and get back to me, and it's a different, less-than-ideal result each time.

I'm also curious about your general attitudes towards encryption of data in transit. I deal with HIPAA a lot, which contains "addressable" requirements for encryption. I am often told by different folks that my approach to security is paranoid; "nobody's going to intercept that file! That'd be too hard!" In the case of email there are plenty of ways to breach security without intercepting individual packets (i.e. guessing a webmail password), whereas in an HTTPS situation, there isn't a cheesy Yahoo account on the other end, and you're more specifically concerned about interception in transit.

This isn't the first business I've encountered that deals with confidential information yet can't seem to properly implement SSL. Back me up here or tell me how you see it. I don't want this to become chatfilter, but I need your help in calibrating my security perspective.

Getting a simple https folder to call my own

tinkertown — Thu, 05 Jun 2008 13:22:40 -0800

Is there a hosting service that will provide me a directory to put some simple https (SSL) content without a lot of $$$ and effort? Basically I want to drop 10 GIF files in a directory that can be accessed by an https:// URL. This would let me create customized buttons for my secure mals-e shopping cart without triggering the "unsecured content" message on browsers.

My hosting service is Dreamhost but they have a ridiculous series of hoops you have to go through just to get a simple https server, including getting a static IP and certificates. I recall years ago my old hosting service let you just switch out http with https in the URL and get the same content, which Dreamhost doesn't allow. I tried.

Again I just want to put 10 GIF images in a directory of my own and not be paying $200 and spend half the afternoon setting things up. What would be the best route for this?

Big numbers make my head hurt

cayla — Wed, 14 May 2008 11:19:50 -0800

Can someone help me understand the relationship between the bit size of an SSL certificate and the size of the session key used? (If any). Essentially, my question is this: Does generating a 512 bit certificate signing request limit the session key in any way? Or rather, is a 512 bit CSR capable of facilitating a reliable 128 bit session key?

I am usually pretty good at googling stuff like this, but I am striking out this time. Some of the pages I found indicate that the only thing that determines the session key is the capabilities of the web server and web client. Other pages indicate that a 512 bit CSR limits you to a 40/56 bit session key. Is there any hard rule on this?

For the purposes of this question, assume I have to use a 512 bit certificate. Also assume, I know about the mounting risks with 512 bit keys and that I know a 1024 bit key is much more secure.

(While I am on the subject, how does Verisign's mandatory 128 bit session encryption work? Is that a matter of signing the cert with only certain encryption protocols allowed?

I just heard about this for the first time the other day. Apparently, there is a standard signing process where the session key size fluctuates based on the connecting browser and there is an 'enhanced' cert that makes 128 bit mandatory. How is this any different than selecting 'require 128bit encryption' in IIS?)

Older version of Filezilla, or newer version of something else?

middleclasstool — Mon, 07 Apr 2008 06:00:11 -0800

Older versions of Filezilla? Or another freeware ftp client that can handle SSH and SSL? Hard drive got fried in a storm this weekend, and I'm currently reinstalling everything to the new drive. I was running Filezilla version 2 (I think 2.3.2), and it ran like a top. But I just tried installing the latest version in its place, and a couple of SSH connections don't work with it. They're returning "garbled packet" errors.

Googling reveals that they use puTTY for SSH, and that's where the error comes from. Checking with puTTY, they insist it's not an error, it's a server configuration problem, but there's no way I can get these servers reconfigured, and anyway the older software connected and transferred to them just fine. Also, I've tried the connection with two other non-free clients at work, and no problems occur. Argh.

So I've tried to find a download page for older versions of Filezilla client, and am coming up with nothing. Does anybody know where I can find either Filezilla 2, or -- even better -- can you recommend a freeware ftp client for WinXP that can handle both SSH and SSL transfers?

merchant account important for a site that might need to feel non-bargain-basement?

lorimer — Mon, 10 Mar 2008 23:27:50 -0800

Merchant account versus just paypal/google checkout, for a handcrafts site that will offer some high-end items (c. $20 to $180 range)? I want to sell my "fine handcrafts" online (from my own site, not through Etsy/etc.). I might sell other people's too, like an online high-end crafts gallery with sales.

My stuff has been selling well in person at some shows/fairs -- and I'm good with HTML -- but I have no experience with selling anything online.

For my existing sites, I have a web hosting package that happens to include one SSL certificate I'm not otherwise using (GeoTrust QuickSSL Premium Certificate).

The question is whether to consider getting a merchant account (and dealing with potential chargebacks, fraud, etc.), because I already have SSL... or to forget that and stick with just Google Checkout & PayPal as dual checkout options. Or am I missing some hybrid solution in the middle?

SSL Issues

missmagenta — Sat, 02 Feb 2008 07:01:12 -0800

I'm having problems re-installing an SSL certificate. It keeps giving me the old certificate. Here's the full story. My client wants to start processing credit card details so we bought an SSL certificate from Geo-trust and tried to install it and it didn't work - we found out that a week earlier, the server admin had installed a self-signed certificate for the server without telling us. (all the domains were on the same IP) so we got a new IP for the domain we wanted ssl on and regenerated the key, the csr and the certificate.

Still no joy. We were doing this through cPanel so I thought maybe it was cPanel that was at fault not the certificate. To test this I tried to make a self-signed certificate through cPanel and it didn't work. I got the server admin to give me root access so I could do it command line.

I checked the apache config and there was nothing about SSL in it so I added the SSLEngine On and the paths to the key and the certificate and restarted apache. That worked ok, but obviously we don't want a self-signed when we've paid for a trusted cert.

So I deleted the key, the csr and the cert (I know I didn't need to delete the key but I wanted a fresh start) and started again from scratch but this time using the real certificate (regenerated with the new csr). I checked the config file still had the paths in it and restarted apache but its still giving me the old certificate - how is this possible? That certificate shouldn't even exist anymore.

We're using apache 1.3.39 and some flavour of linux (no idea specifically which but I think its red hat)

The SSL log shows this:
[warn] Init: (secure.domain.com:443) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) I've googled it but I haven't found anything useful.

(oh and as to why the server admin isn't doing this - he's botched up so much lately the client doesn't want to trust him)

Certify me. Or at least the site.

Tuwa — Sat, 20 Oct 2007 14:12:35 -0800

I need a cheap, trustworthy, reliable certificate for a web application for a non-profit, and a walkthrough on how SSL is set up and used. I'm in process of wrapping up a web app (read: much further away than I think) to prepare it for transfer off my local machine to the webhost, and it's only just now occurred to me that I need a certificate to have encrypted connections.

Currently none of the pages are accessible without logging in, and the passwords are both hashed and salted, but all that's for naught if the username/password pair is sent in plaintext. And, after thinking about it a bit, I decided I wanted all traffic to and from the site to be encrypted. (It's a database of local volunteers: real names, mailing addresses, email addresses, phone numbers, etc.)

I've looked through these posts and found this thread, this thread, and this comment useful for finding cheap certificate sellers. From those discussions I'm leaning towards GoDaddy for the certificate, though I'm wondering if there's anything more than the controversies listed at Wikipedia that I need to take into account in dealing with them.

Also I'd need a for-dummies level explanation of how certificates are actually set up and used: are there any particularly good books, sites, threads, other resources that will walk me through the installation process and help me set up the pages so that they're encrypted? I've never done this before, so the simpler/more painfully clear the explanation, the better.

Finally, am I right in thinking that if I buy the certificate for the site, then there's no way to test it on my local server? (And so it would be best to put up the database with fake data in some test location, at least until I've got the SSL working properly? I imagine that, as with most of the rest of this project, it isn't going to be a quick and easy task.)

How can I use Google Maps on a secure page?

odinsdream — Thu, 05 Jul 2007 09:41:18 -0800

How can I include a Google Map on a secure page? I'm including a Google Map on a page where users can sign up for a service. The page is accessed via SSL, and before I included the map, the entire page was transmitted securely. Now, however, browsers complain that portions of the page (the map) are transmitted insecurely. I understand the user information is still secure, but my users probably won't.

How can I change this page so that the google map is still available and users may still interact with it, but the entire page is delivered via SSL?

Additionally, I had to change firewall rules for the users' subnet to allow access to google.com to load the map. Is there a way to rework this such that the server does the work of loading the map and presents it to the users?

Thanks!

What data types should I use SSL to pass?

Ulleskelf — Wed, 11 Apr 2007 01:10:23 -0800

What's acceptable and best practice when it comes to passing data in on websites securely and non-securely? I've always presumed finanical information should be passed securely, whilst names and address were OK non-securely? Am I right? I run an health condition community where people have to enter their names, addresses, DOBs etc. One member asked to be removed as we weren't using SSL for their profile information. I'm (reasonably) happy that we aren't, but am I wrong? And are there any published guidelines?

Secure? Don't bank on it.

musicinmybrain — Mon, 02 Apr 2007 17:29:44 -0800

Calling webbish folks: I'd like to make sure this form is as unsecured as it appears before I complain. More inside! So as far as I can tell this form is completely unsecured (which is kind of bad, as it encourages you to use your Social Security number). The page isn't encrypted, the lock icon doesn't appear even briefly when it's submitted (try arbitrary gibberish that won't validate server-side), and the form post action is not to a https:// address. It seems painfully ironic that a privacy choices form would itself be a security problem.

Before I complain to Wachovia, though, I'd like to make sure I'm not overlooking a way this form could be secure that I don't know about.

How do I encrypt my http traffic so my company can't read it?

Spoonman — Thu, 11 May 2006 11:51:23 -0800

How do I encrypt my http traffic so my company can't read it? Oh, did I mention SSL is no longer an option since they intend to decrypt all SSL traffic that passes through their proxies? My company places a lot of importance on information security, which is good. Internet access, which isn't universally available in the company, is limited to ports 80 and 443. I've recently learned that they intend to upgrade our current proxies to one that can decrypt, and allow them to inspect the contents of, SSL communications. There are a number of companies who provide such products. Since we're allowed by policy to access our private web-based e-mail, and this isn't going to change, I'm not comfortable with this at all. I have a Linux box on the outside, and on that I have CGIProxy and GNU HTTP-Tunnel . (Our primary hardware vendor puts their updates on an FTP site, this is how I am able to get them). These are both run over https, but I'm hoping to find a method that will allow all requests to be encrypted before they leave the browser so they can't be decrypted. Does anyone know of such a solution?

I'm thinking of a proxy that runs on my machine. That proxy will create an encrypted tunnel between itself and my external https server going through the company's proxies. My browser will be pointed at the local proxy, thus encrypting all traffic before it even gets to the proxy. If I use a sufficiently high enough level of encryption, their decrypter would be useless. Oh, and the company proxies require authentication, so it would have to support that as well. And, the proxies will only proxy http and https traffic. I've tried the ones that try to get ssh traffic out over 80, they don't work.

For those preparing to give me a lecture, you can spare me the ethics of doing this. I'm fully aware it would be a violation of policy. I don't care. Considering they're not even telling people they're doing it, I find this kind of behavior reprehensible.

Looking for a PHP e-commerce store and a decent SSL certificate

spinko — Fri, 05 May 2006 15:32:36 -0800

Looking for a PHP e-commerce store and a decent SSL certificate Right the story goes, I used to do everything in ASP. I now have a dedicated php Linux server and I want to move all my new clients to it.

Im currently using CandyPress (www.candypress.com) ASP store, which does a great job. I need to find a similar store in PHP (no OScommerce). Regarding prices the cheaper the better. Ill need to be able to customise the look and feel to meet my design.

Jizo (www.jizo.co.uk) looked like my cup of tea but its still in beta. Does anyone know any similar ones what do the same or close too.

My dedicated server doesnt have a SSL certificate, do you know any cheap ones that work well. I got a quote of $20 from my other developer but that was with his asp host.

Im moving everything to PHP because I have found that Windows servers are more expensive in the long run.

Thanks for your help in advance.