Offer consistent security options


#1

Secure connection options are a bit hit and miss currently:

Available over https:
[list]
[]panel: https://panel.dreamhost.com
[
]webmail: https://webmail.dreamhost.com or https://webmail.example.com (note this will trigger a warning in most browsers because the SSH certificate is issued for .dreamhost.com).
[
]ftp: https://webftp.dreamhost.com
[/list]

Only available over http:
[list]
[]mailbox manager: http://mailboxes.example.com
[
]phpMyAdmin: http://example.com/dh_phpmyadmin/sqlhostname.example.com
[/list]

There may be others that I have missed, but is there any reason to offer secure connections for some services but not others? The people that use these services are less likely to be following best practices in the first place, so why not make them as secure as possible? The likelihood is high that passwords which are recycled in other services are being passed over insecure connections when using either mailbox manager or phpMyAdmin.
[hr]
It appears that mailbox manager can also be reached via https, but that’s not the default link in the panel. It should be.

There’s still no way to use phpMyAdmin over https.


#2

There’s a simple logic to this one: Services are available securely depending on what domain they’re under.

We can provide the Panel and WebFTP securely because they all reside under dreamhost.com, which we have a certificate for.

The Mailbox Manager runs on a subdomain of your domain, so we cannot enable HTTPS for it: chances are that no SSL certificate exists for mailboxes.example.com. (Even if one did, we don’t have things set up in such a way that we could install one.)

phpMyAdmin is a special case. It runs on your domain, so it’s available over HTTPS if your domain has secure hosting enabled.


#3

+1 Offer consistent security options.

That one’s been a head scratcher for years.


#4

You’re wrong on that one, at least in my experience. DH manages mysql.mydomain.com, and there is no way to add a cert (signed or unsigned) to that subdomain.


#5

The MySQL subdomain is only used to generate a redirect to the phpMyAdmin URL under your main domain. It does not handle any sensitive data, so there’s no need for an SSL certificate on it.

If you have a working SSL certificate for your domain, just cancel the initial password prompt, then add “https” to the URL that the MySQL subdomain redirects you to.


#6

That did the job. Why not default it this way, even if it means having an unsigned SSL Cert?


#7

I have a LetsEncrypt certificate for my domain example.com, yet https://mailboxes.example.com isn’t covered, I get a security warning. It doesn’t even seem to be using my certificate, the Firefox details say:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for mailboxes.dhp-art.com. The certificate is only valid for the following names: *.dreamhost.com, dreamhost.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

So I think Dreamhost is somehow serving this subdomain with its own certificate. Please fix this.