SSL or Not?

heronnweb · 16-02-2008, 11:19 AM

Not sure if this belongs in the HowTo section or not...

I have a small site which runs a members site for a NFPO. We keep members addresses in the database.

Recently the CMS software we use has started to add features for SSL support for the membership registration area. So I'm looking for some advice:

Should we add SSL to our domain. Anyone got any pitfalls etc? Does it really matter... if someone hacks the cpanel (has happened) they can get to the database if they wanted to. If someone hacks the CMS and writes a component to access the database they can get the data out because SQL isn't going to block access from a non-SSL URL...

You'll gather I'm looking for a "How To Protect part of you data".

(we don't do anything completely stupid like take credit card details over the site (done via PayPal).

WhiskyFudge · 16-02-2008, 09:55 PM

SSL only encrypts the data to and from the server to the client. So if you think there is a risk of the data being intercepted by a 3rd party then SSL is probably the way to go. That said if it's just peoples address's then there are easier ways of getting hold of address's than listening into someone's web traffic.

In terms of general security - Catalyst2 obviously take security very seriously and take all measures where feasibly possible. However there are a few basic things you can do. For example is the SQL user the website uses to connect to the database got only the minimum amount of permission and access to objects that it needs. You could encrypt any sensitive data so even if someone did get into your database it would be no good to them.

Hope that is of some help

(Thread moved)

16-02-2008, 11:19 AM	#1 (permalink)
heronnweb Registered User Join Date: Jun 2006 Posts: 12	SSL or Not? Not sure if this belongs in the HowTo section or not... I have a small site which runs a members site for a NFPO. We keep members addresses in the database. Recently the CMS software we use has started to add features for SSL support for the membership registration area. So I'm looking for some advice: Should we add SSL to our domain. Anyone got any pitfalls etc? Does it really matter... if someone hacks the cpanel (has happened) they can get to the database if they wanted to. If someone hacks the CMS and writes a component to access the database they can get the data out because SQL isn't going to block access from a non-SSL URL... You'll gather I'm looking for a "How To Protect part of you data". (we don't do anything completely stupid like take credit card details over the site (done via PayPal).

16-02-2008, 09:55 PM	#2 (permalink)
WhiskyFudge Administrator Join Date: Oct 2003 Posts: 1,484	SSL only encrypts the data to and from the server to the client. So if you think there is a risk of the data being intercepted by a 3rd party then SSL is probably the way to go. That said if it's just peoples address's then there are easier ways of getting hold of address's than listening into someone's web traffic. In terms of general security - Catalyst2 obviously take security very seriously and take all measures where feasibly possible. However there are a few basic things you can do. For example is the SQL user the website uses to connect to the database got only the minimum amount of permission and access to objects that it needs. You could encrypt any sensitive data so even if someone did get into your database it would be no good to them. Hope that is of some help (Thread moved) __________________ Jason Robbins jason@catalyst2.com

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: