Share the Knowledge
RSS icon Home icon

  • How to automatically redirect the WordPress login and admin pages from HTTP to HTTPS

    Posted on November 16th, 2011 webmaster No comments         Print Print

    I always get worried every time I have to login to a website over a non-SSL enabled connection.  When my blog didn’t support SSL (before I migrated from a shared host to my own VPS) and I had to work on it at a coffee shop, I would sometimes change my password when I get home, which of course is still not that secure as my blog is hosted outside my local network which I have no control over.

    A computer with a network card (wired or wireless) that supports promiscuous mode can easily sniff out packets coming in and out of other devices on the same local network the computer belongs to using tools like Wireshark.  So if you’re using a public wireless access point, for example, other computers connected to that same wireless access point could see the data you’re sending and receiving over the network.

    Even if the login form hashes the password first (using one-way hashing algorithms such as MD5 or SHA-1), most users probably have passwords that aren’t that strong/complex, allowing the attacker to brute-force the hashed passwords in a reasonable amount of time.  Advancement in GPU technology and tools like IGHashGPU make cracking passwords much, much faster.

    There are also tools like Firesheep for Firefox which allows attackers to impersonate you by hijacking your session cookies since its content can be retrieved in plain text over an unencrypted connection.

    Automatically redirecting all WordPress pages that send out authentication-related information from HTTP to HTTPS could prevent these types of attacks.

    If you have full control over your WordPress installation, this is very easy to do.  Just edit the wp-config.php file in the root directory of your WordPress installation and add the highlighted line below before /* That’s all, stop editing! Happy blogging. */.

    define('WP_DEBUG', false);

/**
* Force SSL on login and admin pages.
*/
define('FORCE_SSL_ADMIN', true);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

    More information can be found here: http://codex.wordpress.org/Administration_Over_SSL

    If you don’t have full control over your WordPress installation (such as in a shared hosting environment), you can give this plugin a try: http://wordpress.org/extend/plugins/wordpress-https/

    How-To, Networking, Security, Software, SysAdmin , , ,

  • Opportunistic TLS

    Posted on March 21st, 2009 webmaster 5 comments         Print Print

    We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

    This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

    If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

    To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

    telnet mail.global.frontbridge.com 25

    This server supports TLS

    Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

    Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
    with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
    -0400
    Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
    ([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
    TLSv1/SSLv3,128bits,AES128-SHA    ) id 06456c96000057da for <jdoe@microsoft.com>;
    Mon, 16 Mar 2009 18:05:16 -0500

    Networking, Security, SysAdmin , ,

  • UK Government Laptop Sold on eBay, Including a Confidential Disc

    Posted on February 28th, 2008 webmaster No comments         Print Print

    More of these news about confidential data getting lost…

    A local PC repair firm found the disc under the the laptop’s keyboard when the laptop was put in for repair.   The disc had the words “Home Office” and “Confidential” written on it.

    The good news is, at least this time both the laptop and the disc have been encrypted.

    Read the full article here.

    Related Posts:

    Backup Tape Lost – 650,000 Customers Affected

    Laptop with Data on  600,000 People Stolen

    Security
  • « Older Entries

I can’t understand why people are frightened of new ideas. I’m frightened of the old ones. — John Cage

Random Pics

GrandCanyonNationalPark_AZ_20111218_061 thanksgiving-day-parade-004 ColoradoSprings_CO_20111124_002 palawan-puerto-princesa-honda-bay-23

Recent Tweets

Categories

Powered by WordPress
Designed by My Mobiles