WeBWorK Main Forum

Testing secure (http/SSL) webwork server. Issues.

Testing secure (http/SSL) webwork server. Issues.

by Lars Jensen -
Number of replies: 4
Hi Everyone,

We're testing a secure (https/SSL) webwork setup on our test server, and have a coiuple of questions.

First, what fraction of webwork servers out there runs https? Are any breakdown numbers available?

Next, mostly everything in our test setup is working smoothly. One issue we found is when using the firefox browser, where accessing the main webwork page or a course login page, results in a "Connection not secure. Parts of this page are not secure (such as images)," warning message. The message appears when I click the padlock with exclamation mark in the URL - see screenshot. After logging in, the padlock turns green and all other pages has a green padlock displayed in the same place and no warning message. This behavior only occurs with firefox. The chromium browser does not show any warnings on any pages.) How can I fix this and avoid the firefox warnings? Is this because the main webwork page and the course login page contains some http-links? (It doesn't look so great when the login page to a site displays a "not secure" warning.)

Lastly, while mostly everything seems to test out smoothly, one time I accessed a homework set, the images were broken. Is there any risk that we may encounter issues with cached webwork images/formulas when runnig a https server?

Thanks,
Lars.
Attachment firefoxMainPage.png
In reply to Lars Jensen

Re: Testing secure (http/SSL) webwork server. Issues.

by Danny Glin -
It looks like the firefox warning is coming from an image embedded in your site information. It looks like the image is no longer available, which might be why the other browsers don't complain about mixed content.

If you edit /opt/webwork/webwork2/htdocs/site_info.txt, and either remove the image, or change it to an https link, it should fix the warning.

We have had SSL enabled for several years, and last year we switched to SSL only, but we have a proxy server handling the incoming connections, so SSL isn't configured directly on our WeBWorK servers.
In reply to Danny Glin

Re: Testing secure (http/SSL) webwork server. Issues.

by Lars Jensen -
Hi Danny,

Thanks for your reply. Your guess was right on: It was a http link in my site_info.

Lars.
In reply to Lars Jensen

Re: Testing secure (http/SSL) webwork server. Issues.

by Lars Jensen -
Hi again,

A couple of questions more regarding server security:

We authenticate to AD via LDAP when we login to webwork. We can use ldap or ldaps. My questions are:

If I enable https/SSL on the webwork server, does it make any difference whether I configure authen_ldap to use ldap or ldaps for authentication? Do I gain anything by using ldaps in this case?

If I my webwork server is set up with plain http (no SSL), and I configure authen_ldap to use ldaps for authentication, will passwords be encrypted over the network during authentication?

Thanks,
Lars.
In reply to Lars Jensen

Re: Testing secure (http/SSL) webwork server. Issues.

by Danny Glin -
These two things are independent. Setting up the server with https means that traffic between the user's computer and the WeBWorK server is encrypted. ldap vs. ldaps affects the connection between the WeBWorK server and the LDAP server.

Since your students are using passwords that they use for other services, it's important to use https with the WeBWorK server. If you use http, then student passwords are being sent in plain text over the internet.

Regarding ldap vs. ldaps, the first comment is that encrypted traffic is always better than unencrypted, so if at all possible you should be using ldaps. As for the risks of using ldap, it partly depends on your network configuration. If the WeBWorK server and LDAP server are both on the same secure network, then there is little chance of someone intercepting network traffic containing passwords. If there are any public networks between the two servers, then you really need to be using ldaps.