03 December 2008, 16:16

Is there a clever way to force the login page to be transmitted using SSL?

I think I could do a Rewrite in apache, but I was hoping there was a checkbox somewhere that I missed!

Thanks for your time,

Paul

03 December 2008, 18:58

Hi - there's no fancy checkbox for this, yes it would have to be done outside of Mahara.

Personally, I don't understand the point of only encrypting the login page though. If someone is listening in, they won't get the password, but they will on the change password screen (unless you protect that), and they would be able to see everything that the user browses through, which will probably include all of their private data!

I would have though it's smarter to just encrypt the whole lot.

03 December 2008, 21:32

Thanks for the response, I'll just offer it on the secure port.

21 December 2008, 12:42

Hi Nigel,

the point is the user can be using their LDAP (read MS Active Directory) credentials to log in, which could be reused in other more sensitive places than Mahara to impersonate the user. That's why I like the option you have in Moodle to secure the login form (and the password change form, in case you are using it).

I don't know if this would be easy or not (I'm new to mahara code, and a 10' review of the code didn't clarify it too much).

On the other hand, encrypting the whole lot is CPU intensive unless you use some SSL hardware accelerator, so that could be a problem for medium to big sites which can't use that hardware.

Saludos. Iñaki.

21 December 2008, 17:01

The performance issue is a shame, browsers should support same domain/whitelist loading of secure and non-secure content really...

I can see the usecase you have here - though if you're worried about users snooping on the wire and then don't encrypt every page, I still think you've lost the battle .

If someone makes a patch for this then we'll apply it.

26 February 2009, 17:27

Im with Iñaki on this one.

I dont want to SSL the entire site due to the overhead.

Like Iñaki I worry about losing the admin or an LDAP password. We have single sign on for all our systems, losing LDAP passwords would allow the attacker to get at a lot more than Moodle or Mahara.

Your point about the change password screen is not actually valid in the case of Moodle.

The password is not stored in the Moodle databse, and Moodle is not able to change the LDAP password (in our config).

So, there is no way to retrieve or alter LDAP password once logged in (to Moodle).

I have not looked, but I "hope" Mahara behaves the same way when LDAP is enabled, i.e. that the passwords are not stored locally??

Encrypting the login page is a sensible step IMO.

Jez

26 February 2009, 18:16

Mahara doesn't store ldap passwords.

As mentioned before, if someone makes a patch we'll be happy to take it upstream

27 February 2009, 10:54

05 March 2009, 8:05

Ok we got SSL running just on the login and its actually very easy within apache:

RewriteEngine on
RewriteRule ^/$ https://%{SERVER_NAME}/ [R,L]

The above just redirects the root domain, like http://mahara.org, not all the sub pages. So, https is used for the login routines but once a user hits a link within the site they are booted back to http...

Seems to be working quite well...

05 March 2009, 10:25

Well it seemed to be working ok until I switched to IE which kept nagging me about secure / insecure items on the page... so I guess it would require changes to Mahara after all so that when using secure pages the URLs of all linked resources are also put into https...