Hi all,
I am trying to perform a security review of Moodle.
I'm trying to find some documentation about how secure performing a user upload through the interface is but I am unable to find any. We currently only use a SSL on the login page.
My concerns are that the information could be intercepted whilst the upload takes place, how feasible is this?
Thanks for your help.
If you care about security, you need to use SSL for your whole site.
No real reason not to these days. Particularly if you already have an SSL certificate, which presumably you do for the login page.
Thanks for your reply Tim.
We did some testing I believe about 2014 and noticed there was quite a performance hit when using the SSL across the site, is this no longer the case?
I presume then from your reply that when not using an SSL across the whole site there is a chance that the data could be intercepted, is this correct?
Finally, when adding a user through the interface or updating a user it automatically redirects to a https but doesn't do this for a user upload. Why would this work for adding or updating and not for a file upload? (This was on 2.9)
Thanks
Hi Callum,
Anything sent over HTTP is in plain text and therefore readable. This also applies to automatically generated passwords and password resets. The only way to prevent 3rd parties reading users' HTTP traffic is to encrypt it.
This isn't specific to Moodle, it applies to any web app that uses login credentials. If you're in the EU and receive government funding, then there's often a requirement to use HTTPS.
