On 12/02/2013 05:43 PM, Dave wrote:
On Sat, Nov 30, 2013 at 2:04 PM, Glen Mazza <[email protected]> wrote:
Hi, for a Roller installation I'd like to secure the site so my login
password isn't being sent via cleartext, but at the same time not have the
entire blog on
SSL for performance reasons (blog readers will never log in, so if they
can use HTTP alone that would be good.) I see these possibilities:
1.) Activate SSL for the login page only, and keep the rest HTTP-only. Is
that doable with Roller and would provide sufficient security? I.e., I'm
not sure if any cookies sent back and forth during subsequent edits would
create security problems akin to sending the password cleartext if those
cookies themselves weren't encrypted.
That would work and I think going all SSL is not a bad option these days.
However, you need to get a validated cert and that costs money on the order
of a couple hundred bucks last time I checked.
Just checked
(https://www.openshift.com/content/custom-ssl-certificates-for-free-plan#comment-34188)
for the freebie account OpenShift apparently offers free SSL so long as
we stick with the standard rhcloud.com address. That may be good enough
for me.
2.) Use two URLs--Use https:// for the entire site for myself only,
since I'm the only one logging in, but use cleartext HTTP for blog readers.
This could work but I'm concerned any Google returns for blog articles
would point to the https:// and not the http:// URL.
Security experts warn against this, but I've seen it implemented in
production several times (with Roller) and nothing bad happened (that I
know about). Still, you have the cost of getting a validated cert. I'm not
sure of the status of our SSL enforcement filter (to force SSL for login
and password change pages). Maybe it is not needed and Spring Security
already has something?
Well, technically if I'm the only one accessing the SSL and if I can (?)
redirect everyone to non-SSL, then I probably wouldn't need a validated
cert because I'm the only one who would need to trust the website then.
Any self-signed cert that encrypts traffic should do then.
3.) Use Open ID to authenticate -- this could(?) allow me to keep the blog
100% HTTP-only while keeping the third-party authentication on SSL.
This might be the best option because you don't have to buy a cert. The one
wrinkle is that we may have borked OpenID support with our recent
dependency changes, not sure tho.
It should work still, I tested it as part of the Spring Security upgrade.
I'll figure out something and blog it. Thanks Dave and Matt for your
responses.
Glen
