SSH is a network protocol that allows for secure data exchange between computers. SSH is a well tested, widely distributed, open standard and is very well regarded. What's more, SSH is very flexible, making possible a wide range of communications from remote administration through a secure console, file transfer, and tunneling of other protocols (whereby unsecure applications and there protocols are redirected through the SSH to a remote host over the encrypted SSH connection).

SFTP is a file transfer protocol which is typically implemented on top of SSH. Using SFTP is no more difficult than using FTP, in fact many people confuse confuse the two. Chances are that your file transfer client supports SFTP (if not it's time to get a new client).

Both SSH/SFTP are relatively easy to use. The details of how they work to establish and maintain a secure channel are actually quite complex. Support for SSH and SFTP is built into most modern mainstream operating systems, and available for every one. Furthermore, if you plan on hosting your site, you should expect your provider to support at least SFTP in addition to possibly other secure mechanisms for interacting with your site (all of which will work well with Ode). See the documentation for help enabling and using SSH and SFTP for Linux, Mac OS X, and Windows.

Last but not least there is TLS (Transport Layer Security)/SSL (Secure Sockets Layer). If you have heard of SSL but not TLS, it is an update to SSL intended to bring SSL into the fold as a standard internet protocol (under the auspices of the IETF) as well as introduce some new features and resolve outstanding issues with SSL.

These protocols provide for secure transactions between browser and server on the web, i.e. secure HTTP transactions. HTTP is the application protocol of the web and is itself is not secure. SSL is a secure lower level protocol whcih can be used to encrypt and transport HTTP data. Support for the protocol is included in all mainstream web browsers in such a way that it is easy to secure transactions between the brower and a web server using SSL. Like SSH and SFTP, SSL is easy to use. Unlike SSH and SFTP the web server must be configured properly to use SSL. Configuring your web server to use SSL is not necessary difficult to do but it is not trivial either.

If you are hosting your site, your provider may be able to help you configure your website to use SSL (they will probably charge you a fee for this service). If you are hosting your own server you can configure your server to use SSL on your own. See the documentation for help setting up SSL for Apache.

Do you need to use SSL? It depends. If you are sending sensitive information between your web browser and a web server then yes, you really should use SSL. OK, well do I need to do that then? Normally no, but there is an exception.

The rule

Typically the information you transmit between your computer and your web browser is not secure. The whole idea of having a public web server is to share information. If anyone is free to browse the content of your site there is little point in encrypting and otherwise securing that same content as it is en route. You should never store information you do not intend to make public on a public web server unless you are absolutely confident you know what you're doing.

The exception

The Editedit addin allows you to post to your site through a browser. Presumably the post is intended to be public so as discussed above we don't necessary care about encrypting the post. However, so that not just anyone can edit your posts, Editedit includes a basic password mechanism. When the option to use a password is enabled, the correct password must be specified to add or edit content on the site. Without SSL, this password will be transmitted as clear text. Unlike the post, the password is sensitive because with the password anyone can edit your site. So you really should enable SSL to secure the password whenever you use the Editedit addin.

Generally speaking, it is not super difficult to configure SSL, though it is a bit of a pain. Unfortunately, for those of you with a hosting provider, you are subject to their requirements, restrictions (and fees).

The final point I want to make about SSL. Typically setting up SSL involves creating a certificate, which is essentially an identifier and a key and having that certificate signed by a certificate authority, which a third party well known to be reputable and capable of verifying and endorsing the identity of the entity represented by the certificate.

If you don't know anything about cryptography its enough for the discussion here to know that a key is randomly generated string of sufficient length and complexity that they cannot be guessed or discovered through trial and error.

The Certificate Authority (CA) plays an integral role in guaranteeing the security of public key cryptography. Communication cannot be considered secure unless the authenticity of all entites involved can be established, i.e. there must be a guarentee that you know with whom you are communicating.

That having been said, if you are setting up SSL on your own server solely for your own use then you can forgo the CA and 'self-sign' your own certificate. You can know that the key is valid without the CA's validation. This may be sufficient for your Ode blog, as long as you are the only person who needs to trust that the certificate is valid. If on the other hand you are using Ode in such a way that visitors to use SSL, then please do work with a certificate authority in the process of setting up SSL. See the documentation for help setting up SSL for Apache.

Please do invest the reasonable amount of time and effort required to configure SSL. You'll only need to do it up once.

The final point I want to make about security has to do with passwords.

It is highly recommended that any password you use with Ode be different from any other password used on your system!

Otherwise, please be careful to choose a good password.

Some simple guidelines:

1. Password should be at least 6 characters long (preferrably 8 or more)
2. should not be included in any dictionary.
3. should use a combination of upper and lowercase alpha characters and digits
4. should not be associated with you in any way.
5. should not be based on a visual cue 'hidden' anywhere near your computer.

That's the end of this short introduction to Ode.

Check back for updates (or subscribe to the site's feed).

You will find more info at news.ode-is-simple.com/weblog, which is a new weblog dedicated to Ode, and topics relevant to the project.

Feel free to contact me if you have any questions or comments at rob @ ode-is-simple dot com.