redfury Posted December 30, 2014 Share Posted December 30, 2014 My site bugeyed.net has an SSL Certificate applied to it but failed the PCI compliance scan with this error..[There is a web application running on this host that transmits login credentials over HTTP, which is a clear-text protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.] Their recomendation is to....[All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such redirection occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that redirection is not reliant upon the client (browser) side.] I have already spoken with HG and they tried to edit the .htaccess file but said that wasn't working - it was putting it in a loop because of the #### Rewrite rules for SEO functionality #### Any ideas for the best way to redirect the http to an https login page? Thanks in advance! Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 31, 2014 Share Posted December 31, 2014 Looking at your site, I am under the impression you have changed the setting in Store Settings to force SSL on all CubeCart pages. So, is this still an issue? Quote Link to comment Share on other sites More sharing options...
redfury Posted December 31, 2014 Author Share Posted December 31, 2014 I did change the store settings to force SSL on all CubeCart pages yesterday and that did not seem to be working at the time. Now it looks like that part is working so I will run another PCI scan and post the results later today. Thanks! Quote Link to comment Share on other sites More sharing options...
redfury Posted December 31, 2014 Author Share Posted December 31, 2014 Still failed PCI Scan .... PCI Scan says...There is a web application running on this host that transmits login credentials over HTTP, which is a clear-text protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information. Location: http://www.bugeyed.net/admin.php When I type http://www.bugeyed.net/admin.phpI do not automatically get redirected to the HTTPS and can log in under the http still. Any ideas? Quote Link to comment Share on other sites More sharing options...
redfury Posted December 31, 2014 Author Share Posted December 31, 2014 Ok - having HG implement mod_rewrite directives that would redirect these requests to https. Running another scan now. Will post back soon with the results. Fingers crossed Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 31, 2014 Share Posted December 31, 2014 We would like to ask if you have entries in Store Settings, SSL tab:SSL root path e.g. /store/ <= typically just / SSL Store URL e.g. https://www.example.com/store<= no trailing slash We want to also direct your attention to the padlock (that should be visible) in the user/pass block. It may show as open. If so, click it to refresh the page as https. I wonder why, if all pages are to be secure, this page is still not secure. Quote Link to comment Share on other sites More sharing options...
redfury Posted December 31, 2014 Author Share Posted December 31, 2014 Padlock shows closed, site is working correctly and passed PCI scan. Whew I attached an image of my SSL page in store settings for your review. I'm just happy it's fixed and maybe this will help someone else out in the future. Thanks!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.