On 12/15/10 3:13 AM, krystal wrote:
I have set up a test statusnet on a subdomain of my website, and I have
questions about security.
I'm new to statusnet and somewhat new to ssl and certificates from the
admin side, so I'm not sure what exactly is needed. There are some pages
that say something about https.. does this mean I need to buy a
certificate for this installation?
Most things seem to be working - users can sign up, change their pics,
post.. what doesn't work without a certificate?
Nothing in StatusNet *requires* running on HTTPS; the options in the
admin panel are for adjusting how links to secure and non-secure
versions of resources will get generated if you do set up HTTPS.
As a general matter of web security though, I would *highly recommend*
that any web site which has any sort of account system should run
exclusively on HTTPS... the main risk you take running without it is
that your users' passwords and session cookies could be hijacked by
opportunistic attackers on public wireless networks, potentially
exposing information or launching a second-level attack on or through
your site once they have a privileged account.
How to actually get that set up will depend on your hosting provider; if
you've got complete dedicated server or virtual host you can probably
set it up yourself (but will have to jump through a lot of hoops), while
other shared hosts may just not have a way to do it at all.
If you do set up HTTPS, be aware that you can either buy a certificate
signed by a major CA -- costs a little money and takes a little time --
or you can use a self-signed certificate, which is free but will
probably cause you and your users some inconvenience, as browsers and
some client apps will refuse to process the certificate without a lot of
manual confirmation (or at all).
-- brion
_______________________________________________
StatusNet-dev mailing list
StatusNet-dev@lists.status.net
http://lists.status.net/mailman/listinfo/statusnet-dev
