Portal Home > Knowledgebase > Articles Database > Using cPanel without SSL?
Using cPanel without SSL?
| Posted by RobInRockCity, 02-05-2015, 03:37 PM |
| Just got my first ever VPS!
While I am waiting on my domain transfer to finish later this week, is it dangerous to access cPanel without an SSL certificate?
It doesn't seem like a very wise idea to me...
Rob
|
| Posted by bear, 02-05-2015, 03:52 PM |
| Generally there's a self signed certificate on the server that can be used. It's not perfect, but still secures the connection.
|
| Posted by RobInRockCity, 02-05-2015, 04:09 PM |
| How timely and ironic...)
Woo hoo! Just got an e-mail from GoDaddy saying my domain name was successfully transferred over to my new registrar!!
That being said, what do I need to do to make sure my domain is now truly secured by my new registrar so that I can go buy an SSL certificate and secure my VPS??
Rob
|
| Posted by TheSHosting, 02-05-2015, 04:09 PM |
| Enable and use the self-signed certificate at least. Disabling SSL not wise and generally not recommended.
I am not sure what do you mean by "domain is now truly secured by my new registrar"! Do you mean the whois protection? Anyway to purchase SSL certificate ( domain validated cert is fine ), contact a SSL provider and make sure that you have access to the mail server of the domain and it is properly configured to accept emails.
Last edited by TheSHosting; 02-05-2015 at 04:13 PM.
|
| Posted by RobInRockCity, 02-05-2015, 07:23 PM |
| Just thought of another question...
I want to get a domain-verified SSL from NameCheap, and they will require an e-mail address.
Originally I was going to use the e-mail address that I use for my Domain-Provider and Web-Host accounts, but since those are also used for logging in, maybe it is a really bad idea to have that e-mail associated with my domain??
Would it be safer to first set up an email on my VPS, and create something like "admin@MyDomainName.com" so that I have a layer of separation??
Sincerely,
Rob
|
| Posted by net, 02-05-2015, 07:27 PM |
| With all of these questions, I hope the vps is for your personal use and not selling hosting...
It is not just the ssl you should worry about, it is when your site and vps are online on the internet already.
Security is important for your vps when you put this up not just registering or enabling the domain with ssl.
|
| Posted by RobInRockCity, 02-05-2015, 07:34 PM |
| I stated in my intro that I am trying to learn more about running my own website.
Why do you think I am being so thorough?
That is why I am asking lots of clarifying questions...
Rob
|
| Posted by critihost, 02-05-2015, 08:54 PM |
| You should be able to provide an email address for login to their site / delivery and a different email for domain verification. You will indeed need to be able to receive emails at that domain in order to verify the domain.
If this is for personal use I would set up the VPS, get everything running with the self-signed certificate, start taking steps to secure the server, play around with things a bit and then think about buying the ssl certificate.
I say this because your self-signed certificate is still encrypting the connection. One of, if not the, advantages of a "proper" certificate is so that others can verify that the site is who it's claiming to be in the address bar. This is your server so unless you get hacked you do know that it's in fact your server. As stated before it's not perfect but nothing is. And if you're not doing this as a business to begin with there are a lot more important security features to play around with than the ssl certificate.
On emails, I have a few different emails for different things. This is an area often overlooked. Let's say your hosting (vps) provider has a control panel. It probably does and I imagine that you can do a lot from there. Probably recover root password, login to server, reformat server, etc. So you know that password needs to be really secure and you will want to enable 2 factor authentication if possible. Does your provider have an option to reset your password to your email? Most likely. This is where the trouble begins, a ton of people take a lot of time to secure logins and panels but leave their email wide open with a crappy password and no 2 factor authentication. The #1 thing before anything else is lock down your email accounts that have any ability to touch a server, domain, gateway, paypal or otherwise hosting related account really really strong.
Sorry for the essay, hope this at least brushes on your question.
|
| Posted by RobInRockCity, 02-07-2015, 12:11 AM |
| I probably should have created a separate e-mail for the WhoIs contact so people don't know my Registrar and VPS login email.
I just installed one myself this morning!
Yep.
I agree with you 110%!!
I have come to the same conclusion recently, and learned how to do two-factor authentication recently as well.
Thanks for the reminder!
Rob
|
| Posted by Kloudy Day, 02-07-2015, 12:45 AM |
| Self-signed certificate is just fine as a the one that you buy from SSL cert CAa, the only different is that self-signed certs will not be verified by browsers.
As for accessing cPanel, it comes with a default generated self-signed cert that you can use while you're doing the initial setup.
|
| Posted by Srv24x7, 02-08-2015, 10:35 AM |
| Hi,
There is a difference between self-signed and other SSL, that is why the SSL provider exists. Encrypting the data on the go. Self-signed can be decrypted pretty easy, but the genuine SSL is hard to decrypt and with SHA in use, its even down to 100% secure now.
If you are more concerned about the data, then you should go with a genuine SSL or go with manual migration using cpanel backend tools.
|
| Posted by RobInRockCity, 02-08-2015, 02:34 PM |
| Do people agree or disagree with this?
I have had several people tell me that a self-signed SSl is just as secure as one I would buy from someone like GeoTrust or Comodo.
What is the truth?
For now, I have decided to use my VPS's self-signed SSL, but if it is not as good as a regular SSL, then I will gladly switch!!
Rob
|
| Posted by respite, 02-08-2015, 03:33 PM |
| This has sparked many debates on SOF but the general consensus is it's not any worse then a CA.
That being said - I would be much more worried about server level security such as passwords, ssh ports, ssh public key, disabling root, firewalls, logging, safe(up-to date) kernels, os and software plus a host of other common issues.
|
| Posted by Tolis, 02-08-2015, 05:03 PM |
| To secure vps needs more than a SSL .
Block ports and tune your iptables to cpanel ports, secure your cpanel, try install at least APF . Generally take look on tutorials to WHTForum
|
| Posted by critihost, 02-08-2015, 05:43 PM |
| Disagree with an explanation and a couple exceptions.
Self-signed ssl cannot be decrypted easily, what are you basing this on?
Disagree with 100% secure as well, there is no such thing as 100% secure although we're splitting hairs now because for practical reasons it is secure.
What does manual migration have to do with this?
Now for my explanation on this theory, some will disagree this is always an ongoing debate around pretty much everywhere.
If your certificate is properly generated it will be just as secure as any "trusted" certificate. You're doing the same thing to create it anyway. In theory your certificate may be more secure because it hasn't touched as many hands, been transfered over the network (including email in many cases!) and isn't stored by a third party with potential security issues. Large corporations even generate their own internal SSL certificates and employ their own CA server for the enterprise so they have 100% control over the certificate and whether it is considered valid or not.
When this isn't the case is if you have third parties connecting to this server and you're telling everyone just to store the certificate and remember it. This is because you don't have a practical way of revoking it in the event that it is compromised. In the case that it is just you this doesn't come into play. The other case is if you generate your own certificate using insecure methods.
The reality is, your server has much more vulnerable points than the certificate and certificates are hard to crack. Unless you are a massive company or enemy government or something similar then cracking an ssl certificate isn't an attractive target because it isn't cost effective versus other attack vectors.
EDIT:
An exception could be a man in the middle attack which is why in theory you should be verifying the certificate rather than blindly accepting. Still, if just for yourself the certificate is really the least of your worries. It really comes into play when serving others.
Last edited by critihost; 02-08-2015 at 05:48 PM.
|
| Posted by RobInRockCity, 02-08-2015, 06:38 PM |
| My girlfriend once accused me of being an enemy-of-the-state or something. (Let's hope she didn't tell the Feds!)
When I created my Comodo SSL, I used these 3 sites to check my work...
https://www.sslchecker.com/matcher
https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/
The first two URL's returned "OK" results. The last URL gave me an "F", but that apparently is because of some stuff I have to fix on Apache and not because of how I created my SSL.
Okay.
Rob
|
Add to Favourites 
Print this Article
Also Read
