{ dubovsky.com rantings }

SSL certificates for a web site are pretty cheap, as is SSL-capable web hosting. However, for development reasons, I need a wildcard certificate and refuse to pay the several hundred dollars (annual) fee to a commercial CA to get one.

Long story short: if you’re trying to log in here (so you can post and such), your browser is probably warning you that my SSL certificate isn’t signed by a Certificate Authority that the browser knows. If you wish to solve this and help support a free community-based CA (CAcert.org), read on. If not, you can skip this.

To import the CAcert’s Root Certificate (allowing you to determine if CAcert’s customer certificates are valid or not), please visit their root certificate page.

(more…)

I’ve been meaning to post a few words of thanks to Diann here and properly give her credit for (among things too numerous to count) a lot of my site design ideas and motivation. She was the one who turned me on to div-based layouts, accessibility issues, and a host of other interesting matters. I teach her PHP and she teaches me CSS; quite the team!

I discovered that WordPress doesn’t support outputting secure (HTTPS) links for the login, admin, and registration pages. SSL seeems to be an all-or-nothing thing for them. It also doesn’t provide a way to limit your session cookies being only sent over a secure link. Since I do all my editing over secure links (there is customer data on this site!), this irked me a bit, so I looked for ways to work around it.

Jürgen Kreileder has a great blog entry on how to hack Wordpress to use secure administration pages. Alas, it does more than I want (comment spam management) and my web server doesn’t run the mod_proxy required to complete the URL output rewriting. I had to do something a bit more… sinister (read: hackish).

Theory:

• use part of Kreileder’s hack (see above) for ensuring the cookies are secure, the auth_redirect goes to a secure page, the admin_referrer check is for a secure page, and chuck the rest of it.
• replace the mod_proxy output link rewriting with an extremely hackish change to wp-config.php (the only file of which I’m aware that is included in every other page), buffering the output of the page via PHP’s ob_start and then going through and rewriting and “http://” links to sensitive pages with “https://” links. (I’m going to programmer’s hell for this.)
• a fairly simple .htaccess rewrite block to redirect insecure access to sensitive pages to their secure versions

It’s not pretty, but it works. Caveat emptor!

I’ve switched over to WordPress for keeping up the Rantings page here. I’ll be messing around with settings for a few days, but please email me if you see anything strange. Expect this place to be thin on content for a bit until I get the setup down.

The old rantings are still available.