I have an SSL cert installed.
I am still able to login to the backend on the http url.
It doesn't force over to https.
Is the backend just have vital pages under https?
And non-vital pages under http?
Or should I be logging in to the start page as the admin using https?
Admin Login Using https or http
9 posts
• Page 1 of 1
Admin Login Using https or http
by PatG » Mon Feb 08, 2010 5:25 pm
- PatG
- Posts: 34
- Joined: Sat Feb 06, 2010 1:03 pm
- Location: Winter Park, FL
by Jim » Mon Feb 08, 2010 5:31 pm
You should log in to your backoffice with the http:// domain name. When you go to a screen that needs to be secure you will be prompted to log in to the secure url.
Using a secure url requires that all data in the transmission be encrypted so it takes additional server resources as well as more band width in the connection to do things securely.
Using a secure url requires that all data in the transmission be encrypted so it takes additional server resources as well as more band width in the connection to do things securely.
- Jim
- Site Admin
- Posts: 4953
- Joined: Fri Aug 04, 2006 1:42 pm
- Location: Utah
Use SSL
by MgmtSpec » Thu Feb 18, 2010 11:09 am
Not encrypting your main entry opens you up to the REMOTE possibility of a packet sniff hack of your access credentials. With those a bad guy could do a lot of damage and if you use credit cards you may violate compliance. We make all our clients use the secure login. A little more resource is worth the security - in my opinion.
- MgmtSpec
- Posts: 204
- Joined: Mon Apr 30, 2007 8:25 am
by PatG » Thu Feb 18, 2010 12:15 pm
Is it just a choice (for me to make) to use http or https here that you're referring to? Or are you saying that ShopSite would have to do something?
Seems to me that packet sniffer intercept may still be a vulnerability even with https, if someone has access to my local network or station. Am thinking if they have that, they'd get me with a keylogger and skip the sniffing.
Seems to me that packet sniffer intercept may still be a vulnerability even with https, if someone has access to my local network or station. Am thinking if they have that, they'd get me with a keylogger and skip the sniffing.
- PatG
- Posts: 34
- Joined: Sat Feb 06, 2010 1:03 pm
- Location: Winter Park, FL
SSL login
by MgmtSpec » Thu Feb 18, 2010 12:59 pm
ShopSite does not need to do anything. You would need to add SSL to your server/domain. If someone interecepted a packet via SSL it would be encrytped - that's the difference. Yes, encryption can still be cracked but now its a lot more difficult task.
Keystroke logger is a local issue, we have to assume you can control your own network reasonbly.
Unless you have ShopSite ON your LOCAL network, the information is being passed over the internet. Email, etc is all passed over the open internet. Since most used a hosted version, I assumed you were too.
Keystroke logger is a local issue, we have to assume you can control your own network reasonbly.
Unless you have ShopSite ON your LOCAL network, the information is being passed over the internet. Email, etc is all passed over the open internet. Since most used a hosted version, I assumed you were too.
- MgmtSpec
- Posts: 204
- Joined: Mon Apr 30, 2007 8:25 am
by PatG » Thu Feb 18, 2010 3:08 pm
I've got the SSL cert installed, but when I log into the https page (/ss/start.cgi), then click a non-https page (like the merchandising tab), it prompts me to login again, back to sending unencrypted login creds...
Am I missing something?
Am I missing something?
- PatG
- Posts: 34
- Joined: Sat Feb 06, 2010 1:03 pm
- Location: Winter Park, FL
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 7 guests