SSL & https://mydomain.com

3 posts / 0 new
Last post
#1 Fri, 03/09/2007 - 22:22
Hitler99

SSL & https://mydomain.com

Hi,

I just trying modify an existing domain to enable SSL in virtualmin, but i got this message : "Failed to modify server : SSL cannot be enabled unless a virtual IP interface or private port is enabled"

And i read the replies from here --> http://www.virtualmin.com/forums/message-view?message_id=85279 People said that each ssl needs different virtual ip for each domain...

But i got another box which manage by PLESK8 with 1 static ip only, and i got more than 50 domains hosted on it. all of the domains ware able to use http://abc.com document root in httpdocs https://abc.com document root in httspdocs

could virtualmin do this as well ?

Sat, 03/10/2007 - 02:40
Joe
Joe's picture

Howdy Hitler (odd choice of nick, but OK),

It's not the document root that's a problem. It's the fact that the HTTPS protocol doesn't allow for selection of certificate based on anything other than IP. So, you lose half of the purpose of SSL (identity) when you do what you describe.

Plesk doesn't have any magic solution to this problem, it just gives you the illusion that you have an SSL site...when you don't. The problem is that if identity doesn't matter to you, then encryption probably shouldn't matter either. Because without identity, a man-in-the-middle attack is possible either way.

I guess I can think of a couple of circumstance where encryption without identity is safer than no encryption. But not by much. It always takes someone sitting between your server and your client to put the data at risk...and without identity it's trivial to setup a proxy between the two end-points.

Anyway, what you describe is <i>not</i> secure. We've got a lot of users doing it anyway, so I reckon we're going to have to allow it.

But I don't recommend it.

--

Check out the forum guidelines!

Mon, 03/12/2007 - 08:24
sgrayban

I agree with Joe here. Having multiple sites using the same SSL IP is a bad thing. To many things can go wrong and you literally break the intended purpose of SSL that way.

SSL certs come in 2 flavours for security reasons, IP and domain control. Both check to see if the website is totally safe between the users and the website by verifying the IP and domain control. If there is a break between either one most web browsers now will throw a error box up complaining of a broke SSL cert.

I high suggest in investing in a block of IP's as needed. Most hosting companies have them for less then $2 a IP which web hosting companies should be able to afford if they have paying accounts.

It's just not worth the &quot;middle man&quot; attack at the end because the customer will blame you and you can be held liable for any damages they incur.