To HTTPS or to not HTTPS? That is the question

To HTTPS or to not HTTPS? That is the question

by Dave Perry -
Number of replies: 8
Picture of Testers

We're looking to find out what proportion of moodle sites are and aren't protected by secure login pages. We've traditionally done this when possible because it's the user's network password (where they're staff or students) sent via the login form.

Using HTTPS for this gives us problems internally as, due to our proxy monitoring secure traffic, a custom CA certificate has to be installed on the client device to access secure web pages. Which doesn't really work on mobile devices using our wireless network.

Average of ratings: -
In reply to Dave Perry

This forum post has been removed

The content of this forum post has been removed and can no longer be accessed.
In reply to Dave Perry

Re: To HTTPS or to not HTTPS? That is the question

by Mark Johnson -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

We use HTTPS for the full site. I echo what Adam said about logins.  Additionally, our Moodle is accessible over the Internet so the transfer of student's personal data over an unencrypted connection would be a potential data protection issue.  Finally, as you mentioned your wireless network, if you're not aware of Firesheep/session stealing I suggest you read this thread.  Using HTTPS for your whole site will mitigate such attacks.

Average of ratings: -
In reply to Mark Johnson

Re: To HTTPS or to not HTTPS? That is the question

by Dave Perry -
Picture of Testers

Thanks for the replies so far. That firesheep thing I might have to give a go, but I'm told by IT that our hotspots work differently to average ones (i.e. each user who joins them gets their own unique radio channel, so even though it's not a secured wifi network it's secured by radio channel methodology and ergo shouldn't be succeptible to packet sniffing).

We are apparently getting our main sites and webapps (including moodle) penetration tested at some point - better check if the wireless will be included.

Average of ratings: -
In reply to Dave Perry

Re: To HTTPS or to not HTTPS? That is the question

by Mark Johnson -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

That Wireless security model is a new one on me, but unless everyone who connects needs proprietary hardware (i.e. not the WiFi b/g/n card built into every laptop) or the wireless traffic is encrypted (by SSL/WPA/VPN) then correctly-configured hardware will be able to sniff the data out of the air (backtrack is a good tool for testing this as it provides the necessary configuration and utilities)  - even if the access points don't let a malicious user connect and use the network it won't stop them listening in.

As you say, if you're getting everything properly penetration tested then this should highlight issues if they exist.

Average of ratings: -
In reply to Dave Perry

Re: To HTTPS or to not HTTPS? That is the question

by Adi Tedjasaputra -

David, your IT may have meant 'random' radio channel, instead of 'unique' due to  channel limitation imposed by regulation, so basically it is still succeptible to packet sniffing. You should also be aware that implementing HTTPS disables caching and thus will affect your Moodle site performance if implemented site-wide.

Average of ratings: -
In reply to Adi Tedjasaputra

Re: To HTTPS or to not HTTPS? That is the question

by Mark Johnson -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I relaise that this reply was posted a long time ago, but just in case there's anyone deciding whether to implement HTTPS who reads this thread, I'd like to point out that we use caching and HTTPS, and we've experienced no detrimental effect on performance.

If you're concerned, do some benchmarking of your own, but I've not seen any numbers to suggest that using HTTPS has as significant an impact on your performance as not using it does on your security.

Average of ratings: -
In reply to Mark Johnson

Re: To HTTPS or to not HTTPS? That is the question

by Carlos Kiyan Tsunami -
Picture of Plugin developers

Hi 

Do all your pages have https or only the login?

In my cases all the pages have https and it has really an effect on the performance.

have a look at the youtube video. (0:30---> O:35). It takes almost 5 seconds to load a page

click here to go the youtube video 

 

 

Average of ratings: -
In reply to Carlos Kiyan Tsunami

Re: To HTTPS or to not HTTPS? That is the question

by Rod Spears -

Carlos,

I am confused by the video. The information in your post leads me to believe that you are going to use the video to demonstrate the increased page load time when your entire site is using https.

However, when you attempted to change the site to NOT use https, you were not even able to login, so how can we see the difference in page load times?

Or did I miss something?

Average of ratings: -