whm cpanel http 2082 2086 insecure
I'd be very grateful if anyone could give me some advice about the following:
from a security point of view, is it a good idea to login via these ports (2082 and 2086) to work with cpanel and/or whm?
Or is it imperative to work only with https with the secure ports (2083 and 2087)?
When trying to use these secure ports we get a warning message from the browser that the ssl certificate is not trusted. We've been told that no data needs to be sent securely.
Any advice much appreciated! TIA
When sending passwords for login, it's imperative to use https rather than http for connections, so yes it does matter if you use 2082 or 2086 over 2083 or 2087. In WHM > Tweak Settings, https can be forced for all cPanel, WHM and Webmail logins:
Next, the warning prompt on the SSL is due to using a self-signed certificate. It's simply a warning about it being from an untrusted source and doesn't impact the SSL working.Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended.
If you don't want to receive the warning prompt, you could purchase an SSL for the server's hostname, then install it in WHM > Manage Service SSL Certificates area for cPanel/WHM/Webmail. This would then no longer produce a warning due to being a purchased cert rather than self-signed.
Whoever told you that you didn't need to use https to send sensitive data (logins and passwords) was not correct. Sending data insecurely using http is the best way to have your passwords stolen and have a security breach.
cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Forums Technical Analyst, cPanel Tech Support
Submit a ticket | Check an existing ticket
login password insecure ssl
Thank you very much for your help.
Does this mean that IF we have reason to assume that the company providing us with this service is legitimate (and that the warning only comes up because they simply haven't paid to get a certificate, deciding to stay self-signed instead) we could login via the secure ports and ignore the warning from our browser?
In other words, can we have a secure connection by choosing the secure ports, despite the absence of a certificate - just as long as we are prepared to accept the risk of assuming that the company is legitimate in the first place?
Much obliged for the info!
You can install the self signed cert into your browser easy enough and the warning will not be shown any more. You should always want to use secure ports if possible.
Depending on the browser, this task varies in how it's done by the end user but it's not too tough.
This statement isn't accurate. A self-signed certificate is still a certificate. There is not an absence of a certificate in this instance. You cannot even connect on https if there's no certificate. The only difference between a self-signed certificate that has a warning about untrusted and a purchased certificate that's trusted is that the vendors of a purchased certificate have gotten the browser providers to add them to a trusted list. The same encryption and security is there no matter whether the certificate is self-signed or purchased.Originally Posted by tiolon
cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Forums Technical Analyst, cPanel Tech Support
Submit a ticket | Check an existing ticket
Thank you, that's reassuring to know and is what we hoped would be the case. (What we meant was the absence of a certificate _in a trusted list_ ... expressed it badly, sorry!) btw, what is the benefit of a trusted certificate?
thank you! we've done that, now that it's clearer...
LinkBack URL
About LinkBacks
Reply With Quote
