?
Solved

non-ssl to ssl, secure?

Posted on 2011-05-03
5
Medium Priority
?
395 Views
Last Modified: 2013-11-18
Hi,

I have a website that use https/ssl and i have a question about that.

Example:

Website1: Has a valid ssl cert installed which allow users to use https.
Website2: Is not owned by me and does not use ssl, i have absolutely no influence on the website/server setup.

Website2 need to get some critical data (FTP login details) from Website1 (I currently use cURL for this) and I'm a bit worried about someone snapping the data in the process ("man-in-the-middle" and "eavesdropping" attacks ... not sure what it's called).

Will/can the SSL/https on Website1 be used to encrypt the connection?

****

Website2 uses something like this at the moment:

$filename = "https://mytestdomain.com/ftpdetails.php?accesskey=HF64GDFTRU8O";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $filename);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$html_content = curl_exec($ch);
curl_close($ch);

ftpdetails.php check if the accesskey is valid and output the correct ftp details.
0
Comment
Question by:kgp43
  • 2
  • 2
5 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 35512239
In this line of code...

$filename = "https://mytestdomain.com/ftpdetails.php?accesskey=HF64GDFTRU8O";

... the use of HTTPS means that the data will be sent encrypted and decrypted by the receiving party.  The use of HTTPS and SSL makes life very simple for those of us who want to send information in a secure way that avoids the risk of "packet sniffing" and other man-in-the-middle actions.  This appears to be a RESTful interface.  The accesskey string will not be apparent to anyone but the originators and recipients of this URL string.

So your only real risk here is whether you trust the people at Website2 to know and implement adequate security controls.
0
 

Author Comment

by:kgp43
ID: 35512322
Thanks for a great and useful reply Ray, very understanding :)

That means, if a website have SSL, then all information send between the "SSL website" and visitors/servers will be encrypted.
I had my doubt if that also counted servers, thanks for clearing that up.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 35512384
Don't forget that FTP passwords are in sent in plain unencrypted text ... so as soon as they try to use the FTP credentials from site 2 your security problem returns.
0
 

Author Comment

by:kgp43
ID: 35512627
Website2 is supposed to use the FTP details.
I can however encrypt them using mcrypt, if that will help.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 35512875
And there is FTPS, too.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question