[pmm-cms-developers] Response about Security and SSL

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Everyone:
=20
Dale thank you for checking into it and we'd love to hear any results.  =
To
answer the other questions:
=20
1. "Mike, isn't SSL open? And if so, then why would the stations even =
have
to buy it?"
    Yes. SSL is an open standard like HTML, XML, ect.  A station does =
not
have a pay anything unless they want an signed certificate from =
Verisign,
Thwart or another.  It is possible that a host might charge for SSL =
access.
=20
2. Setup?
    Very easy.  Only takes a few minutes and a number of Linux based =
Apache
distros comes with it.  Windows Apache does not, however; OpenSSL is a =
free
download with Win32 builds (you can check our my server:
https://wr.townhouse.clarkson.edu/npr [it might be slow because of
Clarkson's internet use policy garbage]).
=20
3. Is it needed?
    Well, security is never needed.  It is just a good idea.  The only =
place
where it would be an issue is certainly the login, (.htaccess is still =
sent
plain text so it would yield the same) any of the user administration, =
and
configuration sections.
=20
4. Require it?
    Probably not.  Although, we are going to strongly suggest it is =
used.
We can have a simple flag in the config that enables/disables SSL and =
would
send to the correct redirect.
=20
5. Other Security in the program?
    All directories within the admin section (with the exception of the
admin section) will have .htaccess files denying all access.  There is =
no
reason why someone would have to be in them while using the program and =
is a
nice way to "get in" without logging in.
=20
Thanks,
Michael J. Forte
Technical Writer / Web Designer / Web Host
=20
Education
Clarkson University, May 2005
B.S. Technical Communications and B.S. MIS
GPA 3.56
=20
Contact Information
Email: mic...@ho...
Campus Phone: 315-268-3731
Cell Phone: 315-882-1873
Per. Phone: 315-677-9076
=20

  _____ =20

From: pmm...@li...
[mailto:pmm...@li...] On Behalf Of
Patricia Jablonski
Sent: Wednesday, March 23, 2005 4:54 PM
To: pmm...@li...
Cc: pmm...@li...
Subject: RE: [pmm-cms-developers] V2 Status - March 22, 2005


Hello,
=20
Yes, I believe when I talked to Professor Horn about htaccess before
(correct me if I'm wrong) that he said with htaccess the password is
sent in the clear.  But, he mentioned to me that besides that problem,
which would only be detected when the password is typed and if=20
someone was using a program like Ethereal, that it is unhackable.  Like,
for example, the hidden .htaccess, .htgroup, .htpasswd, are not
accessible directly from the web (by typing in their file name) and the
password that is stored in the .htpasswd file is encrypted, so it is =
safe.
It is an OK way to quickly keep a directory restricted, but SSL, from
what I am learning about it would be better.  Mike, isn't SSL open?
And if so, then why would the stations even have to buy it?  That=20
doesn't make sense to me.  Isn't installing SSL on a server just like
installing PHP, MySQL and Apache?  Those are required for this project
(and others), so adding SSL should not be a problem, I wouldn't think.
It would be just like the PHP, MySQL and Apache requirement - pretty
necessary for security.
=20
- Patty -
------------------------------------------------------- This SF.net =
email is
sponsored by Microsoft Mobile & Embedded DevCon 2005 Attend MEDC 2005 =
May
9-12 in Vegas. Learn more about the latest Windows Embedded(r) & Windows
Mobile(tm) platforms, applications & content. Register by 3/29 & save =
$300
http://ads.osdn.com/?ad_idh83&alloc_id=15149&op=3Dick
_______________________________________________ pmm-cms-developers =
mailing
list pmm...@li...
https://lists.sourceforge.net/lists/listinfo/pmm-cms-developers=20