The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

whm cpanel http 2082 2086 insecure

Discussion in 'General Discussion' started by tiolon, Oct 25, 2010.

  1. tiolon

    tiolon Registered

    Joined:
    Oct 25, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I'd be very grateful if anyone could give me some advice about the following:

    from a security point of view, is it a good idea to login via these ports (2082 and 2086) to work with cpanel and/or whm?

    Or is it imperative to work only with https with the secure ports (2083 and 2087)?

    When trying to use these secure ports we get a warning message from the browser that the ssl certificate is not trusted. We've been told that no data needs to be sent securely.

    Any advice much appreciated! TIA
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    When sending passwords for login, it's imperative to use https rather than http for connections, so yes it does matter if you use 2082 or 2086 over 2083 or 2087. In WHM > Tweak Settings, https can be forced for all cPanel, WHM and Webmail logins:

    Next, the warning prompt on the SSL is due to using a self-signed certificate. It's simply a warning about it being from an untrusted source and doesn't impact the SSL working.

    If you don't want to receive the warning prompt, you could purchase an SSL for the server's hostname, then install it in WHM > Manage Service SSL Certificates area for cPanel/WHM/Webmail. This would then no longer produce a warning due to being a purchased cert rather than self-signed.

    Whoever told you that you didn't need to use https to send sensitive data (logins and passwords) was not correct. Sending data insecurely using http is the best way to have your passwords stolen and have a security breach.
     
  3. tiolon

    tiolon Registered

    Joined:
    Oct 25, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    login password insecure ssl

    Thank you very much for your help.

    Does this mean that IF we have reason to assume that the company providing us with this service is legitimate (and that the warning only comes up because they simply haven't paid to get a certificate, deciding to stay self-signed instead) we could login via the secure ports and ignore the warning from our browser?

    In other words, can we have a secure connection by choosing the secure ports, despite the absence of a certificate - just as long as we are prepared to accept the risk of assuming that the company is legitimate in the first place?

    Much obliged for the info!
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can install the self signed cert into your browser easy enough and the warning will not be shown any more. You should always want to use secure ports if possible.

    Depending on the browser, this task varies in how it's done by the end user but it's not too tough.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    This statement isn't accurate. A self-signed certificate is still a certificate. There is not an absence of a certificate in this instance. You cannot even connect on https if there's no certificate. The only difference between a self-signed certificate that has a warning about untrusted and a purchased certificate that's trusted is that the vendors of a purchased certificate have gotten the browser providers to add them to a trusted list. The same encryption and security is there no matter whether the certificate is self-signed or purchased.
     
  6. tiolon

    tiolon Registered

    Joined:
    Oct 25, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thank you, that's reassuring to know and is what we hoped would be the case. (What we meant was the absence of a certificate _in a trusted list_ ... expressed it badly, sorry!) btw, what is the benefit of a trusted certificate?
     
  7. tiolon

    tiolon Registered

    Joined:
    Oct 25, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    thank you! we've done that, now that it's clearer...
     
Loading...

Share This Page