Securing MT passwords


#1

I just installed MovableType on my domain, but I was thinking about the passwords being transmitted in clear text. Besides paying for a unique IP, is there any way to secure the passwords to the blog software on Dreamhost?


#2

In a word : no, at least not universally.

If you can’t use SSL, anything to- and from the server will be in cleartext. You could see whether MovableType supports HTTP Digest Auth logins (and your browser as well) – those would allow you to do secure authentication without transmitting a cleartext password over the wire (though ALL the rest of the communication would still remain unencrypted). Apache at DH should support them if you do your authing through Apache (though I have to admit I have no idea whether MT can even use HTTP authentication instead of Session-based cookie-schemes)).


#3

You might be able create your own certificate using your fully qualified domainname as the Common Name. They might even have OpenSSL already installed somewhere on each box. Wouldn’t hurt to ask.

Web browsers will alert users with a popup notifying them the certificate hasn’t been signed by a “recognised authority” or somesuch (you’re not a bank so who cares?) but if you used your domainname as the CSA during certificate creation then yourwebsite.com will be shown - and we can safely assume your users would know where they are anyway. If they choose to Import the certificate they won’t be bugged with the popup again, if they don’t they’ll just need to click Accept on each visit. No big deal really.

Having said that, I’m new here and am as yet not fully aware of how things work in the DH environment but I’m sure one of the regulars would be able to fill in any details regarding the cans and can’ts of SSL here.


#4

You can certainly do all that, but I think that you still need to buy a unique IP address in that case.

What are [color=#CC0000]50DISK50[/color], [color=#CC0000]3DOM50[/color], and [color=#CC0000]1IP1DOM50[/color]?
They’re Dreamhost coupons!


#5

Yea, I’d have no problem creating my own self-signed cert and not having it be valid to browers since I am only after the encrypted channel.

Any SSL setup requires a unique IP though, which is why I was hoping there was something more MT specific like HTTP Digest or something.


#6

Dig around in the MT docs and possibly the MT forums or some such; a cursory glance at their documentation reveals absolutely nothing of interest in that area, they don’t exactly explain their authentication-scheme.