On Sat, Nov 30, 2013 at 2:04 PM, Glen Mazza <[email protected]> wrote:
> Hi, for a Roller installation I'd like to secure the site so my login > password isn't being sent via cleartext, but at the same time not have the > entire blog on > SSL for performance reasons (blog readers will never log in, so if they > can use HTTP alone that would be good.) I see these possibilities: > > 1.) Activate SSL for the login page only, and keep the rest HTTP-only. Is > that doable with Roller and would provide sufficient security? I.e., I'm > not sure if any cookies sent back and forth during subsequent edits would > create security problems akin to sending the password cleartext if those > cookies themselves weren't encrypted. > That would work and I think going all SSL is not a bad option these days. However, you need to get a validated cert and that costs money on the order of a couple hundred bucks last time I checked. > 2.) Use two URLs--Use https:// for the entire site for myself only, > since I'm the only one logging in, but use cleartext HTTP for blog readers. > This could work but I'm concerned any Google returns for blog articles > would point to the https:// and not the http:// URL. > Security experts warn against this, but I've seen it implemented in production several times (with Roller) and nothing bad happened (that I know about). Still, you have the cost of getting a validated cert. I'm not sure of the status of our SSL enforcement filter (to force SSL for login and password change pages). Maybe it is not needed and Spring Security already has something? > > 3.) Use Open ID to authenticate -- this could(?) allow me to keep the blog > 100% HTTP-only while keeping the third-party authentication on SSL. > This might be the best option because you don't have to buy a cert. The one wrinkle is that we may have borked OpenID support with our recent dependency changes, not sure tho. Hope that helps. - Dave
