azhan — 2014-05-07T04:30:43-04:00 — #1
I've just finish develop/coding my PHP web and I was thinking to make it more secure by implementing SSL to it. It is because my web involved sensitive data such as Staff personal information and it can be access via public/internet.
I thought SSL is managed by hosting provider once we purchased the yearly SSL from them.
Do I have to alter my coding to suite the SSL? I have around 300 PHP pages.
If there is an existing thread on this, do you mind give me the link on the installation manual.
hostripples — 2014-05-07T05:51:18-04:00 — #2
SSL will not secure your DATA. SSL is used to secure online transaction from MAN-IN-Middle Attack . If you have a website from which online Transaction or any user Sensitive information is collected , then go with SSL.
Yes SSL is install by the hosting company and its the installation is Free of cost. You just need to purchase the SSL. And you don't have to make any changes in your PHP code.
mittineague — 2014-05-07T06:01:18-04:00 — #3
Wouldn't you need to change any hard-coded "http" to "https" and maybe some htaccess lines?
hostripples — 2014-05-07T06:11:09-04:00 — #4
We can use a htaccess file to change the website from http to https instead of making changes in the code.
scallioxtx — 2014-05-07T16:43:39-04:00 — #5
While this is true, if the code keeps on using http and htaccess is rewriting it to https all the time it's quite wasteful of CPU cycles.
So it depends on whether you are using "http://" in your code. If you do I'd recommend replacing it with "https://" (which is a simple global search and replace)
azhan — 2014-05-11T10:08:26-04:00 — #6
Thanks for your feedback. I understand most of online banking are more keen to use https due to they making transactions.
But my web only contain "sensitive" personal data such as staff full name, identity registration card number, full address, bank account number, spouse info, salary info etc.
Correct me if im wrong,
SSL is secure while communicating between client & server whereby to prevent "eavesdropping" activity in the middle. Correct?
If above is true, then my thought of SSL to prevent direct hacking is wrong.
I just thought implementing SSL would be an added feature or so called to give me an excuse to customer whenever they asking "how" secure is your web?. Then I could reply that my web is secured by SSL......
Soooo should I go with SSL or not? Can I just implement it to impress my client?? LOL.......or is there other way to prevent hacking? sorry guys....i have skill on coding PHP but my knowledge on web security is very low.
My ex-colleague once told me that any web can be hacked and it just a matter of time, meaning does my web is important for any hacker out there willing to waste their time to hack my web.
wannabegeekster — 2014-05-20T13:48:37-04:00 — #7
SSL is important for your website I believe. The benefit you get out of SSL is that when someone types in their username and password someone cannot sniff it out using the man-in-the-middle attack described above. This does not prevent hackers from compromising your website using other means. If you would like to learn how to write secure code, find great tools on how to audit your code for vulnerabilities (great open source tools available) then I highly recommend checking out OWASP and becoming a member. They have great articles on writing secure code in any language. It is just a great all around resource when it comes to web security in general.
However, any website that has an authentication system build in and stores confidential user data should be secured with an SSL certificate.
Please feel free to ask for some specific help in getting your certificate issued as well as I have extensive experience in this arena.
hostripples — 2014-05-23T05:56:45-04:00 — #8
Hello Azhan ,
Yes you can use SSL on your website through which you can provide a secured link for your clients .
Regarding the hacking on the website , there are many vulnerabilities .
Please read Open Web Application Security Project (OWASP) TOP 10 2014 Vulnerabilities list .
Also there are other factors through which website is hacked . If you are using a Shared server and if one website is compromised on the server then hacker can bypass the whole server , So server security is also must in this case .