The sites I mentioned do have the funds and technical expertise to make competent, security decisions and have decided ssl is not merited for their sites. This indicates the practice is up for debate.
Obviously, the level of security is not going to be the same for different applications. There is a cost associated with security and a calculation needs to be made.
This discussion has made me think of alternative ways to handle low security access without sacrificing protection of data. For example, the password could be automatically generated using random common words or the assets could be mailed as attachments.
If it’s a simple matter of requiring users to choose a strong password, just add a password strength tester to the registration form and don’t allow weak passwords through.
I think its more an issue of password ownership than its strength. In other words, the user name and password combination might be used on any number of sites. If the transmission was intercepted a hacker might be able to gain access to online banking, email, or other important areas. The auto assignment of password ensures that the password is unique.
Fairly annoying nowadays that one can’t self-sign certificates as ‘modern’ browsers in their ‘phishing war’ attempts flag you up as potentially an issue. It’s a good thing really but you’re left choosing when best to actually ‘shell out moola’ for a ‘real’ certificate!
Definitely anything to do with e-commerce even if its just on the shopping cart and or member area before you fling customers off to a payment processor.
Giving your users that extra ‘touch’ of security is worth every penny.
I am very eager to know about the different types of tips for others in knowing about the SSL in a necessary manner. It helps others in meeting their satisfaction in a better way by achieving the best results for others. This is completely a fine type of solution for others in making the different types of results for their work to move in a well balanced manner.
It is a great stuff for others to get some techniques over there.
No. If you handle user data, secure it. If you can’t secure it, don’t store it. You don’t store clear password, you hmac them; so why let anyone see their password / auth cookies in the clear by anyone behind the user computer and your server.
If you connect from work, you pass already through a lot of things people have access to.
If you use TOR, the entry and end points see what you’re sending.
How many different and secure password do you use on different websites ? Would you like someone try to use your login / pwd on other sites ?
SSL should be the standard.
And if big sites are your references, you should not forget that even mighty Google got caught with a CSRF hole the size of a moon in gmail.
That would be impossible to give every login an SSL connection. A, you will need a certificate, self-signed is fine for controlled systems but not public. B, you will be needing a dedicated IP one for every domain. Not an cheap propitiation. You also have to take traffic into consideration. Lots of traffic without a large infrastructure would topple over with the overhead of de/en-cryption.
And if big sites are your references, you should not forget that even mighty Google got caught with a CSRF hole the size of a moon in gmail.
Hmm…I fail to see how that has anything to do with SSL and encryption.
The chances of data being intercepted while en route over the internet are SO tiny. I’d be far more worried about the security of the data at the end points, where it is stored.
The only place I’d worry about snooping data is if your clients are using unsecure wireless access points. Unfortunately that has made things far more snoopable.
Initially. Given a random string (for example) that holds no mnemonic cues, a user is more likely to change their password to something that is easier for them to memorize. Worse, many users would have to write it down so as not to lose it. I have so many nonsensical passwords at work that have so many constraints (e.g., “must contain at least one special character”) and am required to change them so frequently that I couldn’t possibly memorize them all.
With hundreds of domains currently in existence for every usable IPv4 address that can’t possibly be done until the entire internet switches to IPv6.
Once the internet is on IPv6 there will be so many thousands of IP addresses available for each person that a separate IP address for each domain name will be standard.
A certificate from a root CA is more then $30/year. Unless you have a link to prices?
So, you need a dedicated server. For security of your user’s data, shared is already a no-no.
A dedicated server is a different matter then a dedicated IP address. A dedicated server can still be sharing a range of IPs with other servers. And also depending on the nature of the site and the traffic, one sever may or may not be enough.
I am very eager to know about the different types of tips for others in knowing about the SSL in a necessary manner.I built a site where users log in to access a document library. The data protected does not require a high degree of security so ssl was not used. They have a client complaining that their username and password are being transmitted in clear text and in return, complaining to me.
“When is SSL necessary”
whenever you send private information over the internet.
the only reason you would not want to use ssl is when you don’t want to pay for it or don’t want the “insecure site” message appearing in the users browser.
The majority of sites that use SSL are those that involve ecommerce and such. Most sites where the only “private” info are user ids and passwords don’t bother to encrypt them unless there is considered to be something extremely valuable within the membership site.
So forums such as this one do not bother to use SSL for the login because the info inside isn’t considered to be needing that level of protection. If someone were to steal your account using a man-in-the-middle attack it wouldn’t be too hard to get it back. Where someone capturing your userid and password from this site would be a problem is if you were silly enough to use the same password at your bank and the man-in-the-middle were able to figure out which bank you bank with so as to use the password captured here to access your bank account.
That’s why it is important to not use the same password for all the sites you access. At the very least each site where SSL is appropriate should have a different password that you don’t use anywhere else. Sharing the same password between a few forum sites isn’t such an issue.
The only benefit to using SSL on sites such as forums would be to protect the passwords of those people silly enough to have used the same password both at the forum and at their bank but since they are also likely to have used the same password at other sites not using SSL it isn’t actually making their password any more secure, it is just ensuring that the password gets stolen from the other forum instead of yours.
as you pointed out before felgall, people are stupid (or if can call it stupid considering so many do it) to use the same password for everything, and when i answered that question i was answering what would be theoretically more correct, using SSL whenever private info is passed, this is not done in real life though, and as such people who earn on stealing info thrive on the internet.
it is just ensuring that the password gets stolen from the other forum instead of yours.