CMS Made Simple Forums

One of my clients' employees is bothering us about CMSMS' security.  She thinks that because it doesn't use "https" it isn't secure.

What is a good rebuttal?

I really like CMSMS (though I would love a blogging feature).  Thanks.

So what made your client think it is not using https? 
Maybe I have understood wrong, but nothing is stopping you from serving your cmsms from a https server. It will slow it down some, but not much as most of the time is eaten by the db and templating stuff, not the protocol.
But what exactly does the user wish to protect? content? the admin passwords?.
An eavesdropper would probably be able to hear passwords going over the line if he is in the right network segment. You will need to put that on https to stop that from happening, so far your cleint is right.
It is not impossible to that i think. The quickest way (not beautifull at all)  is to have two separate sourcetrees, the https one not accesible from the http side. Delete the whole admin section from the insecure http tree. search and replace any references to the admin section and make sure they use https (don't know yet ho to do that). Copy the config.php to your https tree and change the urls in it accordingly. since you use the same db, you will have the same site, but with the admin section (where cookies containing a passhash go over the line) fully secured. That puts the burden back on the user to choose a strong password and/or not fall for social engineering tricks/spyware/worms etc.
A you can see, that is not too hard, but it is not simple either. Part of it is that https and certificates are just not very simple. Personally I love cmsms for its simplicity, and i'll take the less then perfect security for granted.

Probably you can do some of this stuff with apache too. Instead of two sourcetrees have the http virtualhost alias /admin to a script that redirects to the https login, and add some code in fileloc.php to change the configfile based on the protocol used.

Thanks for the great answer.

In the meantime, are the passwords encrypted?

My client is a Township (government) and one of the subordinate workers is squaking about security because her brother works for Sun.  She thinks that because "https" is not listed in the admin's URL, the admin area is not secure.  There isn't any top secret information on the site accept the passwords to log in to the admin area.

So, what would you tell someone who thinks CMSMS is insecure?

Thanks a bunch!

well she is right, offcourse. It just costs extra (effort, money or both) to get it to move the admin area to https.
Initially (afaik) the password goes over the line unencrypted, and comes back as a md5 hash. the hash will not tell you the original password, but recreating the right cookies will give you access (that is a drawback of how the unlimited login is implemented).
I described a possible implementation for this, you can make your own estimates how much work this will be, and how much it is going to cost. I Think it is negligible compared to the actual work you'll have to do inside cmsms creating the website.
Trying to come up with a rebuttal is pointless (she is right). Coming up with a pricetag is much clearer and will help getting the prorities clear.

But make it really really expensive. I know a person who always thinks to get around those jobs by high prices, but they are always not high enough

Thanks a lot for your answers!  I really appreciate it.

Larry,

What is wrong with implementing security? As far as I know it's just work, so there is no need to drive the price up. from my estimates it is 3 - 5 functionpoints, so between 1.5 and 2.5 days work, but very experienced sysadmins might be able to do it in one day. But those are my estimates double and round up to the nearest unit and you will get a safe estimate.

There is nothing wrong with implementing security.

I only wanted to tell that if you don´t want to do it and try to shock the customer with a high price, then make it really high