[FX.php List] When to start SSL on a site

Jonathan Schwartz jschwartz at exit445.com
Thu Apr 8 10:35:29 MDT 2010 

 From my favorite move, "When Harry Meets Sally",..."Your're right. 
You're right. I know you're right".

And I just got finished splitting  the pages into ssl and non-ssl 
directories.. Grrrr.....

Thanks guys.  I know what I have to do now.


Jonathan



At 9:44 AM -0500 4/8/10, Dale Bengston wrote:
>Agreed all the way around. If you're implementing SSL, just put your 
>entire web app in that environment.
>
>Dale
>
>On Apr 8, 2010, at 9:24 AM, Leo R. Lundgren wrote:
>
>>  If I make a site that needs to be secured, and HTTPS is part of 
>>it, I default to using HTTPS for the entire site. Why wait?
>>
>>  So in short; I rewrite/redirect HTTP to HTTPS in order to force the latter.
>>
>>  Regarding the form; IMO it's vital that you don't output the login 
>>form on a page that is insecure. Consider the possibility that an 
>>attacker hijacks the insecure page on which the login form is, and 
>>thereby managed to change the URL that the form targets.. In such a 
>>situation it doesn't matter that the URL you *indended* the form to 
>>target is secure, because the form itself isn't.
>>
>>
>>  8 apr 2010 kl. 15.55 skrev Jonathan Schwartz:
>>
>>>  Hi Folks,
>>>
>>>  Just thought I would throw this out...
>>>
>>>  In creating a site that starts out with non-ssl content (5-6 
>>>pages) and offers a login to access ssl content, where do you 
>>>switch over to the ssl content?  Specifically, if the login form 
>>>is embedded in all the non ssl pages (user can login from any of 
>>>the non-ssl pages) and the form action points to a page on the ssl 
>>>side for login validation, is this considered secure? I'm thinking 
>>>not, but then how do you offer a secure login without making the 
>>>entire site ssl/https?
>>>
>>>  Thanks for listening.
>>>
>>>  Jonathan
>>>  --
>>>  Jonathan Schwartz
>>>  Exit 445 Group
>>>  jonathan at exit445.com
>>>  http://www.exit445.com
>>>  415-370-5011
>>>  _______________________________________________
>>>  FX.php_List mailing list
>>>  FX.php_List at mail.iviking.org
>>>  http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>
>>  -|
>>
>>  _______________________________________________
>>  FX.php_List mailing list
>>  FX.php_List at mail.iviking.org
>>  http://www.iviking.org/mailman/listinfo/fx.php_list
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011

More information about the FX.php_List mailing list