non-ssl to ssl, secure?

Posted on 2011-05-03
Last Modified: 2013-11-18

I have a website that use https/ssl and i have a question about that.


Website1: Has a valid ssl cert installed which allow users to use https.
Website2: Is not owned by me and does not use ssl, i have absolutely no influence on the website/server setup.

Website2 need to get some critical data (FTP login details) from Website1 (I currently use cURL for this) and I'm a bit worried about someone snapping the data in the process ("man-in-the-middle" and "eavesdropping" attacks ... not sure what it's called).

Will/can the SSL/https on Website1 be used to encrypt the connection?


Website2 uses something like this at the moment:

$filename = "";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $filename);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$html_content = curl_exec($ch);

ftpdetails.php check if the accesskey is valid and output the correct ftp details.
Question by:kgp43
    LVL 107

    Accepted Solution

    In this line of code...

    $filename = "";

    ... the use of HTTPS means that the data will be sent encrypted and decrypted by the receiving party.  The use of HTTPS and SSL makes life very simple for those of us who want to send information in a secure way that avoids the risk of "packet sniffing" and other man-in-the-middle actions.  This appears to be a RESTful interface.  The accesskey string will not be apparent to anyone but the originators and recipients of this URL string.

    So your only real risk here is whether you trust the people at Website2 to know and implement adequate security controls.

    Author Comment

    Thanks for a great and useful reply Ray, very understanding :)

    That means, if a website have SSL, then all information send between the "SSL website" and visitors/servers will be encrypted.
    I had my doubt if that also counted servers, thanks for clearing that up.
    LVL 16

    Expert Comment

    Don't forget that FTP passwords are in sent in plain unencrypted text ... so as soon as they try to use the FTP credentials from site 2 your security problem returns.

    Author Comment

    Website2 is supposed to use the FTP details.
    I can however encrypt them using mcrypt, if that will help.
    LVL 107

    Expert Comment

    by:Ray Paseur
    And there is FTPS, too.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    SASS allows you to treat your CSS code in a more OOP way. Let's have a look on how you can structure your code in order for it to be easily maintained and reused.
    Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
    The viewer will learn how to count occurrences of each item in an array.
    The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now