Supertex Posted July 21, 2015 Share Posted July 21, 2015 I just noticed, while working with Stamps.com, that my admin is non-SSL. I am, however, using the HTPASSWD protection for the admin directory. Since the directory credentials and the site login credentials are the same, is it pointless to try to use SSL on the admin store login (assuming no encryption on the directory)? Or is it feasible to have the htpasswd encrypted as well? I see addons / instructions to apply ssl to the admin login, but does that force the directory login to be encrypted also? I'm really in the dark about this. Can someone explain this for me? osC v2.3.1 MySQL v8.0.32 PHP v5.6.40 Installed addons: . Attribute Sets Plus .. Create Account & Manual Order Maker .. Customer Testimonials 2.3.4 .. Customer Blacklist .. Dynamic Info Pages .. FedEx Web Svcs v9 .. Filtered Sales Report .. Generic Box .. Google XML Sitemap SEO .. Maximum Order Value .. Modular Front Page .. Monthly Sales & Tax Report .. Multiple Products Manager .. Must Accept Terms & Conditions .. Order Editior .. PDF Customer Invoice .. Price in Cart Only .. Product Sort/Order .. Product Sort in Cart .. Quantity Discounts .. Restrict Delivery Methods .. SEO Header Tags - Reloaded .. Separate Pricing Per Customer .. Simpler Admin Session Length Control .. Sitemap SEO .. Show Free Ship + Modules .. Specials by Category for SPPC .. Store Mode (open|closed|maintenance) .. Store Pickup Shipping .. Theme Switcher .. Ultimate SEO URLs 5 Pro .. UPS XML Rates & Svcs 1.4 .. USPS methods 7.3.1 .. Who's Online Dashboard . Fixes: Add to cart -> 'product not found' : FIX Login issues with IE 11 : FIX Tools: Incredibly Handy: osC Xref Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 21, 2015 Share Posted July 21, 2015 The admin should use ssl. The .htaccess passwords is not encrypted without it but even with it, you need to force ssl or access may still be vulnerable. See this thread on how to do that. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Supertex Posted July 22, 2015 Author Share Posted July 22, 2015 Thanks Jack. I've made all the http entries into https in the config. Just so I'm clear, this will force the authentication of the htaccess login to the admin folder to be encrypted, as well as the actual site admin login? osC v2.3.1 MySQL v8.0.32 PHP v5.6.40 Installed addons: . Attribute Sets Plus .. Create Account & Manual Order Maker .. Customer Testimonials 2.3.4 .. Customer Blacklist .. Dynamic Info Pages .. FedEx Web Svcs v9 .. Filtered Sales Report .. Generic Box .. Google XML Sitemap SEO .. Maximum Order Value .. Modular Front Page .. Monthly Sales & Tax Report .. Multiple Products Manager .. Must Accept Terms & Conditions .. Order Editior .. PDF Customer Invoice .. Price in Cart Only .. Product Sort/Order .. Product Sort in Cart .. Quantity Discounts .. Restrict Delivery Methods .. SEO Header Tags - Reloaded .. Separate Pricing Per Customer .. Simpler Admin Session Length Control .. Sitemap SEO .. Show Free Ship + Modules .. Specials by Category for SPPC .. Store Mode (open|closed|maintenance) .. Store Pickup Shipping .. Theme Switcher .. Ultimate SEO URLs 5 Pro .. UPS XML Rates & Svcs 1.4 .. USPS methods 7.3.1 .. Who's Online Dashboard . Fixes: Add to cart -> 'product not found' : FIX Login issues with IE 11 : FIX Tools: Incredibly Handy: osC Xref Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 23, 2015 Share Posted July 23, 2015 The encryption is handled by the ssl certificate. But if you don't force ssl to be used, it is possible to connect using http (non-ssl). If the admin configure file is setup to use https, then it redirects and a second login is requested. But by then you would have already transmitted the non-encrypted password. If you have it properly protected, if you try to use http in the url, it should display a forbidden page. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
MrPhil Posted July 23, 2015 Share Posted July 23, 2015 Password access control requires a visitor to enter an ID and password to gain access. SSL encrypts traffic between the browser and the server so as to make it difficult (for non-NSA, non-CIA types) to read the traffic. Both are part of the security solution: ID/password to control who gets in to use further admin functions, and SSL so no one can spy on you (including the ID and password). Neither is terribly secure by itself: without SSL, the ID and password can be seen (but otherwise no one can get in); without password access control, anyone can get into the admin side and use it to call up pages (no lock on the door), but no one in the network can spy on you. The osC ID and password add a little more security. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.