[Sussex] Switching from HTTP to HTTPS

[Nico Kadel-Garcia]

Nic James Ferrier wrote:
> "Brendan Whelan" <b_whelan at mistral.co.uk> writes:
>
>   
>> We have an Internet application written using PHP with a MySQL
>> database. A small number of users login from around the UK and
>> view/add/edit data via forms. The main user is becoming concerned
>> about security and has asked can we switch from HTTP to HTTPS. I
>> tried bringing up pages in HTTPS and get a message "This page
>> contains both secure and nonsecure items". What needs changing to
>> avoid these messages and, presumably make the whole application
>> secure?
>>     
>
> You need an SSL certificate installed on the server.
>   
That seems unrelated to his reported problem, although it's certainly 
appropriate to have a signed certificate for commercial uses. Some 
software (read: Internet Explorer) make it very difficult to gracefully 
use certificates that are not signed by one of the approved central 
authorities.
> You can generate your own SSL certificate - but then your users will
> have to understand and trust that process.
>
> You can buy SSL certificates from organizations like Thawte and
> Verisign.
>   
Both are pretty expensive and awkward to deal with: I've found GoDaddy 
to be far friendlier and more responsive to requests. And Verisign have 
demonstrated, with stupidities such as their setting a *.com wildcard on 
the .com domain that they manage to redirect all typos to their ads, 
that they're willing to break things for everyone else to improve their 
advertising.
> You install the certificate into the server and make sure it is
> protecting the bits of the namespace that your app is running under.
>
>
> The process can be a bit complicated if you don't know what you're
> doing.
>   
Yeah. RedHat/Fedora installations of Apache generate default tickets for 
you automatically at install time, but they contain no usable contact 
information, so they should be replaced if possible.