[FX.php List] When to start SSL on a site
Dale Bengston
dbengston at tds.net
Thu Apr 8 08:44:27 MDT 2010
Agreed all the way around. If you're implementing SSL, just put your entire web app in that environment.
Dale
On Apr 8, 2010, at 9:24 AM, Leo R. Lundgren wrote:
> If I make a site that needs to be secured, and HTTPS is part of it, I default to using HTTPS for the entire site. Why wait?
>
> So in short; I rewrite/redirect HTTP to HTTPS in order to force the latter.
>
> Regarding the form; IMO it's vital that you don't output the login form on a page that is insecure. Consider the possibility that an attacker hijacks the insecure page on which the login form is, and thereby managed to change the URL that the form targets.. In such a situation it doesn't matter that the URL you *indended* the form to target is secure, because the form itself isn't.
>
>
> 8 apr 2010 kl. 15.55 skrev Jonathan Schwartz:
>
>> Hi Folks,
>>
>> Just thought I would throw this out...
>>
>> In creating a site that starts out with non-ssl content (5-6 pages) and offers a login to access ssl content, where do you switch over to the ssl content? Specifically, if the login form is embedded in all the non ssl pages (user can login from any of the non-ssl pages) and the form action points to a page on the ssl side for login validation, is this considered secure? I'm thinking not, but then how do you offer a secure login without making the entire site ssl/https?
>>
>> Thanks for listening.
>>
>> Jonathan
>> --
>> Jonathan Schwartz
>> Exit 445 Group
>> jonathan at exit445.com
>> http://www.exit445.com
>> 415-370-5011
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
> -|
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list